Socket.IO version 0.6.4 arrived shortly after the holidays in January 2011, a quick follow-up to version 0.6.3 released just before Christmas 2010. Examining the core metadata reveals the rapid iteration cycle common in early-stage software development. While both versions maintain the same fundamental description as "The cross-browser WebSocket" solution and share the same author and repository origins, the key difference lies in their respective release dates.
For developers, the short timeframe separating the two versions suggests that version 0.6.4 likely contains bug fixes, performance improvements, or minor feature enhancements over 0.6.3 rather than a complete overhaul. Upgrading from 0.6.3 to 0.6.4 would likely be a smooth transition. Before migrating to the newer version, a diligent developer would investigate the specific changes logs to verify if these differences have impact with the rest of the stack. The main advantage of using these library versions is the compatibility will older browser, but since it's almost 15 years old probably, you would like to stick with newer releases. The tarball URLs provide the means to acquire the specific releases for project integration providing all the features of a cross browser websocket adapter.
All the vulnerabilities related to the version 0.6.4 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.