Socket.IO is a popular library enabling real-time, bidirectional communication between web clients and servers. Versions 0.6.17 and 0.6.18, released in March and May of 2011 respectively, offer developers tools to build interactive applications like chat, online gaming, and collaborative editing platforms. Both versions share the same foundational goal: providing a cross-browser WebSocket abstraction to simplify real-time development. Primarily authored by Guillermo Rauch, these versions facilitated the creation of responsive and engaging user experiences.
While the core functionality remains consistent, the upgrade from 0.6.17 to 0.6.18 likely included bug fixes, performance improvements, and potentially minor API adjustments. Developers upgrading should consult the change logs (available in the repository) for specifics. Key benefits for developers using Socket.IO during this era included its event-driven nature, allowing for structured communication patterns, and its ability to gracefully fall back to alternative transport mechanisms (like Flash Sockets or long polling) when native WebSockets were not available. This ensured broad compatibility across different browsers. For developers maintaining legacy applications, understanding these subtle version differences is imperative for stability and security. Socket.IO was, and still is through its newer versions a cornerstone technology for building responsive web applications.
All the vulnerabilities related to the version 0.6.18 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.