Socket.IO is a JavaScript library enabling real-time, bidirectional communication between web clients and servers. Versions 0.6.1 and 0.6.3, both released around December 2010, aimed to deliver a seamless cross-browser WebSocket experience. While the metadata appears nearly identical, the jump from 0.6.1 to 0.6.3 likely incorporated bug fixes and minor enhancements to improve stability and performance, although the exact details of these changes aren't explicitly outlined in the provided data.
For developers, Socket.IO facilitates building applications that require immediate data updates, such as chat applications, collaborative tools, and real-time dashboards. Its key advantage is abstracting the complexities of WebSocket implementation, offering a consistent API across different browsers, even those without native WebSocket support. It achieves this through graceful degradation to alternative technologies like Flash sockets or long polling, ensuring reliable communication irrespective of the client's capabilities. If migrating from 0.6.1 to version 0.6.3, developers should anticipate subtle improvements aimed at bolstering connection reliability and potentially addressing specific edge-case scenarios encountered in the earlier version, contributing to a more robust real-time experience. Check the changelog (if available) for full details.
All the vulnerabilities related to the version 0.6.3 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.