Socket.IO is a popular library for building real-time applications, enabling bidirectional communication between web clients and servers. Versions 0.7.5 and 0.7.6 share a common foundation, both designed to simplify cross-browser real-time interactions with a WebSocket-like API. Both versions depend on redis for pub/sub functionality, policyfile for Flash socket policy support, and socket.io-client for the client-side component. They also share the same development dependencies, should for assertions and expresso for testing. The author is also the same: Guillermo Rauch.
The key difference lies in the version number, indicating bug fixes and improvements introduced in 0.7.6, released just hours after 0.7.5. While the specific changes aren't detailed in this metadata, the quick release cycle suggests the update likely addressed critical issues or minor enhancements identified shortly after the initial 0.7.5 release. Developers should prefer version 0.7.6 for its inclusion of these immediate refinements which ensures a more stable and reliable real-time experience. Both versions are available via npm, from the same registry, and share the same repository. The difference in release date marks the newer version as the choice of preference. The repository URL indicates that this is the Node.js version. Choosing the correct registry tarball URL is also essential to download and install the library in your project.
All the vulnerabilities related to the version 0.7.6 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.