Socket.IO is a popular library for building real-time applications that work across different browsers, offering a WebSocket-like API for simplified development. Version 0.7.1 arrived shortly after version 0.7.0, representing a quick iteration in the library's development. Developers considering upgrading from 0.7.0 to 0.7.1 should note the subtle differences.
Both versions share the same core dependencies: policyfile and socket.io-client at version 0.7.0, which means the underlying mechanisms for handling security policies and client-side communication remained consistent. Similarly, the development dependencies for testing (should and expresso) are unchanged between the two releases. From a dependency perspective, the upgrade seems uneventful.
The key distinctions lie in potential bug fixes, minor feature enhancements, or performance improvements implemented in the 0.7.1 release. Given the very short interval, it's likely that the update addresses specific issues identified in the initial 0.7.0 release. Developers encountering problems or seeking slightly improved stability are most likely to benefit from moving to 0.7.1. The releaseDate showcases that version 0.7.1 was published a single day after the 0.7.0, with around 12 hours of difference. To determine the precise nature of these fixes or improvements, consulting the release notes or commit history on the linked GitHub repository is recommended for developers before upgrading Socket.IO library.
All the vulnerabilities related to the version 0.7.1 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.