Socket.IO version 0.6.10 arrives as a refined iteration of the popular cross-browser WebSocket library, building upon the foundation laid by version 0.6.9. While both versions share the same core purpose of enabling real-time bidirectional communication between web clients and servers, subtle improvements and bug fixes likely distinguish the newer release. Developers leveraging Socket.IO for building interactive applications, such as chat services, online games, or collaborative tools, will find version 0.6.10 a potentially more stable option.
The relatively short time span between the releases, with version 0.6.10 appearing just a few days after 0.6.9, suggests that the update might address critical issues discovered shortly after the initial release or introduce minor enhancements. Due to both versions being quite old there isn't much public information, but a developer considering either version should prioritize examining the specific changelog or release notes associated with 0.6.10. This would reveal the precise nature of the changes, allowing for an informed decision on whether the update is necessary for their project. Security improvements, bug fixes related to browser compatibility, or performance tweaks would all be compelling reasons to upgrade from 0.6.9. Although newer versions of Socket.IO exist, those versions increment the overall version to 4.x and higher. These versions can be a breaking change to older code.
All the vulnerabilities related to the version 0.6.10 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.