Socket.IO version 0.6.8 represents a minor iteration over its predecessor, version 0.6.7, offering developers a slightly refined take on the cross-browser WebSocket communication library. Both versions share a common foundation, providing the essential tools needed to build real-time applications. Developers familiar with 0.6.7 will find themselves in familiar territory with 0.6.8, as the core functionality and principles remain consistent.
The key difference lies in subtle improvements and potential bug fixes implemented in 0.6.8. While a detailed changelog isn't provided here, the release date suggests a quick follow-up to 0.6.7, indicating that the changes might address immediate concerns or refinements discovered shortly after the initial release. For developers, this translates to a potentially more stable and polished experience, particularly if they encountered any minor issues in 0.6.7.
For developers choosing between the two, version 0.6.8 is the logical choice as it likely incorporates improvements over 0.6.7. However, both versions offer the core Socket.IO functionality that made it a popular choice, enabling real-time bidirectional communication between web servers and clients, allowing for functionalities like chat applications, collaborative tools, and live data feeds. Given the relatively close release dates, the decision rests on the specific needs of your project and potential issues one or the other present with your specific context. Regardless, both iterations represent mature and reliable choices within the 0.6.x series of Socket.IO.
All the vulnerabilities related to the version 0.6.8 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.