Socket.IO is a popular library enabling real-time, bidirectional communication between web clients and servers, and versions 0.6.14 and 0.6.15 represent incremental steps in its early evolution. Both versions, authored by LearnBoost, focus on providing a cross-browser WebSocket experience, simplifying the development of applications requiring instant data updates.
The key difference between 0.6.14, released on February 22, 2011, and 0.6.15, released just one day later on February 23, 2011, likely involves bug fixes, minor performance improvements, or small feature enhancements. Given the rapid release cycle, it's improbable that 0.6.15 introduces major API changes or revolutionary functionalities. Developers upgrading from 0.6.14 should anticipate a smoother and more stable experience, rather than substantial new capabilities. Socket.IO, at this stage, would have been attractive to developers building chat applications, collaborative tools, or live-streaming dashboards. The library's main draw was its ability to abstract away the complexities of WebSocket implementations, providing a consistent and easy-to-use interface across different browsers. The repository, hosted on GitHub under LearnBoost, encouraged community contributions and provided developers with a transparent view of the project's development. Detailed changelogs or release notes from that era might be scarce now, but reviewing community forums or GitHub commit history around that time could reveal the precise changes implemented.
All the vulnerabilities related to the version 0.6.15 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.