Socket.IO version 0.6.9 arrived shortly after 0.6.8, marking a quick iteration in the development of this popular cross-browser WebSocket library. For developers relying on real-time communication in their web applications, these early versions represent a crucial stage in Socket.IO's evolution. While both versions share the same core description – "The cross-browser WebSocket" – and originate from LearnBoost, the relatively short time between releases suggests that version 0.6.9 likely contains bug fixes, performance improvements, or minor feature enhancements that were deemed important enough to warrant a new release.
Migrating from 0.6.8 to 0.6.9 would likely be a straightforward process, and developers should prioritize this update. Socket.IO at the time offered a seamless way to establish bidirectional communication between clients and servers, abstracting away the complexities of different browser implementations and transport mechanisms. The library enabled developers to build real-time applications such as chat applications, collaborative tools, and live dashboards with greater ease. Given the rapid pace of web development, upgrading to 0.6.9 would ensure developers are leveraging the most stable and optimized version available at that point in time. Considering the release dates, updating can also address any security concerns that may have been discovered and resolved. Each version incrementally improves the robustness and developer experience provided by Socket.IO.
All the vulnerabilities related to the version 0.6.9 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.