Socket.IO is a widely-used JavaScript library enabling real-time, bidirectional communication between web clients and servers. Versions 0.7.4 and 0.7.5, released closely together in June 2011, offer developers a straightforward way to build interactive applications like chat, online games, and collaborative tools, leveraging a WebSocket-like API for cross-browser compatibility.
Examining the metadata for these releases, the core functionalities and dependencies remain consistent. Both rely on redis for data storage and pub/sub functionality, policyfile for handling Flash socket security, and socket.io-client for the client-side component, specifically version 0.7.3. Development dependencies for testing and assertion (should and expresso) are also identical. The author and repository information are also consistent between the two.
The only tangible difference between versions 0.7.4 and 0.7.5 lies in their version number and release date. Version 0.7.5 was released shortly after 0.7.4, suggesting it addresses minor bug fixes, patches, or very small enhancements. Developers upgrading from 0.7.4 to 0.7.5 likely experienced a smooth transition with minimal code adjustments. Because the dependencies have stayed the same, the developer can expect the version to have the same features, and almost the same performances. Choosing between them relies only on the bug fixes that the newer version provided.
All the vulnerabilities related to the version 0.7.5 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.