Socket.IO versions 0.6.4 and 0.6.5 represent incremental steps in the evolution of this popular library for real-time, bidirectional communication between web clients and servers. Both versions, authored by LearnBoost, share the same core purpose: to enable seamless, cross-browser WebSocket functionality, simplifying the development of applications that require instant updates and interactions. Developers leveraging Socket.IO can build chat applications, online games, collaborative tools, and live data dashboards with relative ease.
The key difference between these versions lies in the nuances of their implementation and potentially bug fixes that 0.6.5 introduces over 0.6.4. While the high-level description and repository remain the same, indicating a continued commitment to the project's core principles, the newer version likely addresses identified issues or incorporates minor improvements that enhance stability or performance. The updated release date reflects the continuous effort to refine the library. Socket.IO aids in abstracting the complexities of WebSocket communication, particularly with older browsers that lack native support. By providing fallback mechanisms and a unified API, Socket.IO ensures broader compatibility, a crucial factor for developers targeting diverse user bases and is still a very relevant library to study. Developers should consult comprehensive release notes or commit logs relating to version 0.6.5 to uncover the concrete changes implemented, if available.
All the vulnerabilities related to the version 0.6.5 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.