Socket.IO version 0.9.4 represents a minor iteration in the 0.9.x series, building upon the foundation established by version 0.9.3. Both versions cater to developers seeking to build real-time applications with cross-browser compatibility, leveraging a WebSocket-like API for ease of use. Crucially, the core description and the overarching goal of providing a seamless real-time experience remain consistent between the two releases.
The significant difference lies within the socket.io-client dependency. Version 0.9.4 updates this sub-package to version 0.9.4, implying bug fixes, performance improvements, or new features within the client-side component used for establishing and managing socket connections from the browser. While other dependencies like redis and policyfile remain unchanged, this update to the client is the principal enhancement to be aware of when upgrading.
For developers, this means that moving from 0.9.3 to 0.9.4 necessitates updating the client-side Socket.IO library employed within their web applications. Developers should carefully examine the socket.io-client changelog (from version 0.9.3 to 0.9.4 if available) to understand the precise nature of the changes, especially concerning any potential compatibility implications with their existing code or impact on the performance of their real-time features. The release date difference shows that the 0.9.4 appeared just a few days after 0.9.3, suggesting that the bug fixes must have been really important.
All the vulnerabilities related to the version 0.9.4 of the package
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.
Update to v0.9.7 or later.
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.
Remote Memory Disclosure in ws
Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.
In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.
var ws = require('ws')
var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')
client.on('open', function () {
console.log('open')
client.ping(50) // this sends a non-zeroed buffer of 50 bytes
client.on('pong', function (data) {
console.log('got pong')
console.log(data) // Data from the client.
})
})
Update to version 1.0.1 or greater.
DoS due to excessively large websocket message in ws
Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.
Update to version 1.1.1 or later.
Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.
Denial of Service in ws
Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.
const WebSocket = require('ws');
const net = require('net');
const wss = new WebSocket.Server({ port: 3000 }, function () {
const payload = 'constructor'; // or ',;constructor'
const request = [
'GET / HTTP/1.1',
'Connection: Upgrade',
'Sec-WebSocket-Key: test',
'Sec-WebSocket-Version: 8',
`Sec-WebSocket-Extensions: ${payload}`,
'Upgrade: websocket',
'\r\n'
].join('\r\n');
const socket = net.connect(3000, function () {
socket.resume();
socket.write(request);
});
});
Update to version 3.3.1 or later.
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.
Upgrade UglifyJS to version >= 2.4.24.
Regular Expression Denial of Service in uglify-js
Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.
var u = require('uglify-js');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");
$ time node test.js 10000
real 0m1.091s
user 0m1.047s
sys 0m0.039s
$ time node test.js 80000
real 0m6.486s
user 0m6.229s
sys 0m0.094s
Update to version 2.6.0 or later.
xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.