Socket.IO version 0.6.6 represents a minor iteration over its predecessor, version 0.6.5, within the popular real-time communication library. Both versions of Socket.IO are designed to facilitate bidirectional and event-based communication between web browsers and servers, enabling the creation of interactive applications like chat applications, collaborative editors, and real-time dashboards. Leveraging WebSocket technology where available, and gracefully falling back to other techniques like Flash sockets or long polling when necessary, Socket.IO aims for broad cross-browser compatibility.
Examining the data, the core difference lies in the release date, with version 0.6.6 being released shortly after 0.6.5. This suggests that version 0.6.6 likely addresses bug fixes, performance enhancements, or minor feature tweaks introduced in the previous release.
For developers considering Socket.IO, the choice between versions 0.6.5 and 0.6.6 depends on the specific requirements and risk tolerance. The generally accepted rule of thumb is that the newer the version more stable it is and more fixes it has. Therefore version 0.6.6 is the suggested one for developers. Given the proximity of the release dates, the changes are most likely to be bug fixes or small improvements. Both versions share the same foundational characteristics: cross-browser WebSocket emulation, a simple API for event-driven communication, and a robust architecture for building real-time applications. It's advisable for developers to always consult the changelog or release notes associated with each version for a comprehensive understanding of the specific changes implemented.
All the vulnerabilities related to the version 0.6.6 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.