Socket.IO version 0.7.2 represents a minor iteration over its predecessor, version 0.7.1, in the popular library for building real-time web applications. Both versions share the same core purpose: to simplify the creation of cross-browser applications with WebSocket-like functionality. The most notable difference lies in the dependency on socket.io-client. Version 0.7.2 requires socket.io-client version 0.7.2, aligning the client and server versions for potentially improved compatibility and feature parity. Version 0.7.1, in contrast, depends on socket.io-client version 0.7.0. The upgrade in client version most likely introduced bug fixes and new features and enhancements on the client-side, making for a more stable and feature-rich experience when building real-time application front-ends. Both versions depend on policyfile (version >= 0.0.3) and share the same development dependencies (should 0.0.4 and expresso 0.7.7), indicating a consistent testing and development environment. The core functionality and described purpose of the library remains consistent between the two versions. Developers already using 0.7.1 should upgrade to 0.7.2, because it is the best match to the client library and they can benefit to the client library fixes.
All the vulnerabilities related to the version 0.7.2 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.