Socket.IO is a popular JavaScript library enabling real-time, bidirectional communication between web clients and servers. Versions 0.6.12 and 0.6.14, released in February 2011, represent incremental updates within the early stages of the library's development. While both share the core purpose of providing cross-browser WebSocket functionality, the key difference lies in their release dates, with version 0.6.14 arriving just a few days after 0.6.12.
For developers, this likely indicates bug fixes, performance improvements, or minor feature adjustments in the newer version. Considering the rapid evolution of web technologies at the time, these updates could be significant for stability and compatibility. While specific changelogs for these minor versions are not readily available, developers should generally opt for the latest stable release (0.6.14 in this case) to benefit from the most recent optimizations and bug resolutions.
Socket.IO, even in these early versions, offered a crucial advantage: abstracting the complexities of establishing and maintaining WebSocket connections across different browsers. This simplification allowed developers to focus on building real-time applications like chat, online gaming, and live data dashboards without wrestling with low-level networking details. Both versions share a common repository under LearnBoost, signaling a commitment to open-source collaboration and community-driven development.
All the vulnerabilities related to the version 0.6.14 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.