Socket.IO version 0.7.4 represents a minor update to the popular real-time communication library, building upon the foundation laid by version 0.7.3. Both versions aim to simplify the development of cross-browser real-time applications using a WebSocket-like API. Key dependencies like redis for data storage and policyfile for security policies remain consistent between the two releases, indicating a focus on stability and maintaining existing functionality. Critically, the socket.io-client dependency also remains at version 0.7.3, suggesting that the core client-side communication protocol and feature set are largely unchanged. Developers can expect consistent behavior and compatibility when upgrading from 0.7.3 to 0.7.4 regarding basic socket functionality.
While the underlying architecture and most dependencies remain the same, the jump to 0.7.4 likely includes bug fixes, performance improvements, and minor enhancements. Developers should review the changelog specific to this release to identify any potentially breaking changes or opportunities to enhance their existing applications. From a developer perspective the date difference between both releases is small (2 hours) meaning that the changes are small and possibly fixing bugs. The devDependencies, including testing frameworks like should and expresso, are identical suggesting that the update did not involve significant changes to how the library is tested or developed. Therefore, migrating from 0.7.3 to 0.7.4 should be relatively straightforward and focused on taking advantage of subtle improvements and fixes.
All the vulnerabilities related to the version 0.7.4 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.