Socket.IO version 0.7.3 represents a minor update from the preceding 0.7.2, offering enhancements for developers building real-time applications. Both versions aim to simplify cross-browser real-time communication using a WebSocket-like API. A notable difference lies in the dependencies. Version 0.7.3 introduces a specific dependency on redis version 0.6.0, suggesting potential improvements or fixes related to integrating Socket.IO with Redis for features like scaling and multi-server setups. This contrasts with version 0.7.2, which lacks a direct Redis dependency in its listed dependencies. The policyfile dependency is present in both versions, with 0.7.2 indicating a minimum version of ">= 0.0.3". Both versions also share the socket.io-client dependency, aligning with their respective versions to ensure compatibility between the server and client-side components. Development dependencies like should and expresso remain consistent, primarily used for testing and development purposes. The core functionality, as described, remains consistent between the two versions. From a developer's perspective, the key difference is the introduction of the explicit Redis dependency in 0.7.3. If you are employing Redis with Socket.IO, upgrading to 0.7.3 might provide a more stable and tested integration.
All the vulnerabilities related to the version 0.7.3 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.