Socket.IO version 0.6.17 represents a minor update and refinement over its predecessor, version 0.6.16, in this popular library for enabling real-time, bidirectional communication between web clients and servers. Both versions champion the concept of cross-browser WebSocket support, making it easier for developers to build applications that require instant updates and interactive experiences.
One noticeable change between the versions lies in the identified author. Version 0.6.16 attributes authorship to "LearnBoost," while 0.6.17 specifies "Guillermo Rauch" with an email address, suggesting a potential shift in maintainership or a more specific attribution of work. The repository URL also sees a slight change, with 0.6.17 using "git://" for potentially a more secure git protocol.
From a developer's perspective, the core functionality of Socket.IO remains consistent between these versions. Developers can expect a reliable solution for establishing persistent connections, facilitating features such as chat applications, live dashboards, and collaborative tools. While detailed changelogs are not provided in the data, the relatively short release timeframe between the two versions (approximately three weeks) suggests that 0.6.17 likely includes bug fixes, performance improvements, or minor feature enhancements that build upon the foundation laid by 0.6.16, contributing to the overall stability and reliability of the library. Potential adopters should consult the detailed changelog as well.
All the vulnerabilities related to the version 0.6.17 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.