Version Details and Security Vulnerabilities

📦

socket.io

1.1.0

Comparision Betweeen 1.1.0 and 1.0.6

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 1.1.0 Details

Socket.IO version 1.1.0 builds upon the solid foundation of its predecessor, 1.0.6, offering refinements and updates that enhance real-time communication capabilities for Node.js applications. Key differences lie in the updated dependencies, most notably engine.io which jumps from version 1.3.1 to 1.4.0. This upgrade likely introduces improvements in transport mechanisms, connection stability, and overall performance of the underlying engine that powers Socket.IO's real-time features. While the core functionality may remain consistent, developers can anticipate a more robust and efficient experience with the newer version.

Another notable difference is the update of has-binary-data from 0.1.1 to 0.1.3, and socket.io-parser from 2.2.0 to 2.2.1 suggesting enhancements in binary data handling and message parsing. This leads to increased reliability and potentially better performance when dealing with complex data structures. The client-side component, socket.io-client mirrors its server counterpart, moving from 1.0.6 to 1.1.0, to maintain client-server compatibility and ensure seamless interaction.

Developers should always prioritize using the latest versions of libraries, as they typically come with crucial bug fixes and security patches. Therefore, upgrading to Socket.IO 1.1.0 is recommended to benefit from these improvements and maintain the stability of real-time applications. Furthermore, the releaseDate difference indicates a newer, more actively maintained version, making it a preferable choice for forward-looking projects. One should note that repository has changed from LearnBoost to Automattic.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

socket.io

1.1.0

Comparision Betweeen 1.1.0 and 1.0.6

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 1.1.0 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.1.0 of the package socket.io.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.1.0 of the package

Summary:

CORS misconfiguration in socket.io

Details:

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Details about socket.io@1.1.0

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

| Version range | Needs minor update? | |------------------|------------------------------------------------| | 4.6.2...latest | Nothing to do | | 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) | | 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@1.1.0

Summary:

debug Inefficient Regular Expression Complexity vulnerability

Details:

A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.

Details about debug@0.7.4

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@0.7.4

Summary:

Resource exhaustion in engine.io

Details:

Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Details about engine.io@1.4.0

Summary:

Uncaught exception in engine.io

Details:

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

| Version range | Fixed version | |-------------------|---------------| | engine.io@3.x.y | 3.6.1 | | engine.io@6.x.y | 6.2.1 |

For socket.io users:

| Version range | engine.io version | Needs minor update? | |-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------| | socket.io@4.5.x | ~6.2.0 | npm audit fix should be sufficient | | socket.io@4.4.x | ~6.1.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.3.x | ~6.0.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.2.x | ~5.2.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.1.x | ~5.1.1 | Please upgrade to socket.io@4.5.x | | socket.io@4.0.x | ~5.0.0 | Please upgrade to socket.io@4.5.x | | socket.io@3.1.x | ~4.1.0 | Please upgrade to socket.io@4.5.x (see here) | | socket.io@3.0.x | ~4.0.0 | Please upgrade to socket.io@4.5.x (see here) | | socket.io@2.5.0 | ~3.6.0 | npm audit fix should be sufficient | | socket.io@2.4.x and below | ~3.5.0 | Please upgrade to socket.io@2.5.0 |

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

Details about engine.io@1.4.0

Summary:

Remote Memory Disclosure in ws

Details:

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Recommendation

Update to version 1.0.1 or greater.

Details about ws@0.4.31

Summary:

DoS due to excessively large websocket message in ws

Details:

Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.

Recommendation

Update to version 1.1.1 or later. Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.

Details about ws@0.4.31

Summary:

Denial of Service in ws

Details:

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation

Update to version 3.3.1 or later.

Details about ws@0.4.31

Summary:

parse-uri Regular expression Denial of Service (ReDoS)

Details:

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.

PoC

async function exploit() {
    const parseuri = require("parse-uri");
    // This input is designed to cause excessive backtracking in the regex
    const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value';
    const result = await parseuri(craftedInput);
    }
await exploit();

Details about parseuri@0.0.2

Summary:

Insecure Defaults Allow MITM Over TLS in engine.io-client

Details:

Affected versions of engine.io-client do not verify certificates by default, and as such may be vulnerable to Man-in-the-Middle attacks.

The vulnerability is related to the way that node.js handles the rejectUnauthorized setting. If the value is something that evaluates to false, such as undefined or null, certificate verification will be disabled.

Recommendation

Update to version 1.6.9 or later.

If you are unable to upgrade, ensure all calls to socket.io to have a rejectedUnauthorized: true flag.

Details about engine.io-client@1.4.0

Summary:

Regular Expression Denial of Service in parsejson

Details:

Affected versions of parsejson are vulnerable to a regular expression denial of service when parsing untrusted user input.

Recommendation

The parsejson package has not been functionally updated since it was initially released.

Additionally, it provides functionality which is natively included in Node.js, and therefore the native JSON.parse() should be used, for both performance and security reasons.

Details about parsejson@0.0.1

Summary:

Resource exhaustion in socket.io-parser

Details:

The socket.io-parser npm package before versions 3.3.2 and 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.

Details about socket.io-parser@2.2.1

Summary:

Insufficient validation when decoding a Socket.IO packet

Details:

Due to improper type validation in the socket.io-parser library (which is used by the socket.io and socket.io-client packages to encode and decode Socket.IO packets), it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Example:

const decoder = new Decoder();

decoder.on("decoded", (packet) => {
 console.log(packet.data); // prints [ 'hello', [Function: splice] ]
})

decoder.add('51-["hello",{"_placeholder":true,"num":"splice"}]');
decoder.add(Buffer.from("world"));

This bubbles up in the socket.io package:

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // here, "val" could be a function instead of a buffer
 });
});

:warning: IMPORTANT NOTE :warning:

You need to make sure that the payload that you received from the client is actually a Buffer object:

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 if (!Buffer.isBuffer(val)) {
 socket.disconnect();
 return;
 }
 // ...
 });
});

If that's already the case, then you are not impacted by this issue, and there is no way an attacker could make your server crash (or escalate privileges, ...).

Example of values that could be sent by a malicious user:

a number that is out of bounds

Sample packet: 451-["hello",{"_placeholder":true,"num":10}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is `undefined`
 });
});

a value that is not a number, like undefined

Sample packet: 451-["hello",{"_placeholder":true,"num":undefined}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is `undefined`
 });
});

a string that is part of the prototype of Array, like "push"

Sample packet: 451-["hello",{"_placeholder":true,"num":"push"}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is a reference to the "push" function
 });
});

a string that is part of the prototype of Object, like "hasOwnProperty"

Sample packet: 451-["hello",{"_placeholder":true,"num":"hasOwnProperty"}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is a reference to the "hasOwnProperty" function
 });
});

This should be fixed by:

https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050, included in socket.io-parser@4.2.1
https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4, included in socket.io-parser@4.0.5
https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14, included in socket.io-parser@3.4.2
https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983, included in socket.io-parser@3.3.3

Dependency analysis for the `socket.io` package

| socket.io version | socket.io-parser version | Covered? | |---------------------|---------------------------------------------------------------------------------------------------------|------------------------| | 4.5.2...latest | ~4.2.0 (ref) | Yes :heavy_check_mark: | | 4.1.3...4.5.1 | ~4.0.4 (ref) | Yes :heavy_check_mark: | | 3.0.5...4.1.2 | ~4.0.3 (ref) | Yes :heavy_check_mark: | | 3.0.0...3.0.4 | ~4.0.1 (ref) | Yes :heavy_check_mark: | | 2.3.0...2.5.0 | ~3.4.0 (ref) | Yes :heavy_check_mark: |

Dependency analysis for the `socket.io-client` package

| socket.io-client version | socket.io-parser version | Covered? | |----------------------------|----------------------------------------------------------------------------------------------------------------|------------------------------------| | 4.5.0...latest | ~4.2.0 (ref) | Yes :heavy_check_mark: | | 4.3.0...4.4.1 | ~4.1.1 (ref) | No, but the impact is very limited | | 3.1.0...4.2.0 | ~4.0.4 (ref) | Yes :heavy_check_mark: | | 3.0.5 | ~4.0.3 (ref) | Yes :heavy_check_mark: | | 3.0.0...3.0.4 | ~4.0.1 (ref) | Yes :heavy_check_mark: | | 2.2.0...2.5.0 | ~3.3.0 (ref) | Yes :heavy_check_mark: |

Details about socket.io-parser@2.2.1

Summary:

Insufficient validation when decoding a Socket.IO packet

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in socket.io-parser@4.2.3
https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in socket.io-parser@3.4.3

Another fix has been released for the 3.3.x branch:

https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `socket.io-parser@3.3.4

| socket.io version | socket.io-parser version | Needs minor update? | |---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------| | 4.5.2...latest | ~4.2.0 (ref) | npm audit fix should be sufficient | | 4.1.3...4.5.1 | ~4.1.1 (ref) | Please upgrade to socket.io@4.6.x | | 3.0.5...4.1.2 | ~4.0.3 (ref) | Please upgrade to socket.io@4.6.x | | 3.0.0...3.0.4 | ~4.0.1 (ref) | Please upgrade to socket.io@4.6.x | | 2.3.0...2.5.0 | ~3.4.0 (ref) | npm audit fix should be sufficient |

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

Details about socket.io-parser@2.2.1

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.1.0 of the package socket.io.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.1.0 of the package

Summary:

CORS misconfiguration in socket.io

Details:

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Details about socket.io@1.1.0

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@1.1.0

Summary:

debug Inefficient Regular Expression Complexity vulnerability

Details:

Details about debug@0.7.4

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@0.7.4

Summary:

Resource exhaustion in engine.io

Details:

Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Details about engine.io@1.4.0

Summary:

Uncaught exception in engine.io

Details:

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

| Version range | Fixed version | |-------------------|---------------| | engine.io@3.x.y | 3.6.1 | | engine.io@6.x.y | 6.2.1 |

For socket.io users:

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

Details about engine.io@1.4.0

Summary:

Remote Memory Disclosure in ws

Details:

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Recommendation

Update to version 1.0.1 or greater.

Details about ws@0.4.31

Summary:

DoS due to excessively large websocket message in ws

Details:

Recommendation

Update to version 1.1.1 or later. Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.

Details about ws@0.4.31

Summary:

Denial of Service in ws

Details:

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation

Update to version 3.3.1 or later.

Details about ws@0.4.31

Summary:

parse-uri Regular expression Denial of Service (ReDoS)

Details:

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.

PoC

async function exploit() {
    const parseuri = require("parse-uri");
    // This input is designed to cause excessive backtracking in the regex
    const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value';
    const result = await parseuri(craftedInput);
    }
await exploit();

Details about parseuri@0.0.2

Summary:

Insecure Defaults Allow MITM Over TLS in engine.io-client

Details:

Affected versions of engine.io-client do not verify certificates by default, and as such may be vulnerable to Man-in-the-Middle attacks.

Recommendation

Update to version 1.6.9 or later.

If you are unable to upgrade, ensure all calls to socket.io to have a rejectedUnauthorized: true flag.

Details about engine.io-client@1.4.0

Summary:

Regular Expression Denial of Service in parsejson

Details:

Affected versions of parsejson are vulnerable to a regular expression denial of service when parsing untrusted user input.

Recommendation

The parsejson package has not been functionally updated since it was initially released.

Additionally, it provides functionality which is natively included in Node.js, and therefore the native JSON.parse() should be used, for both performance and security reasons.

Details about parsejson@0.0.1

Summary:

Resource exhaustion in socket.io-parser

Details:

The socket.io-parser npm package before versions 3.3.2 and 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.

Details about socket.io-parser@2.2.1

Summary:

Insufficient validation when decoding a Socket.IO packet

Details:

Example:

const decoder = new Decoder();

decoder.on("decoded", (packet) => {
 console.log(packet.data); // prints [ 'hello', [Function: splice] ]
})

decoder.add('51-["hello",{"_placeholder":true,"num":"splice"}]');
decoder.add(Buffer.from("world"));

This bubbles up in the socket.io package:

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // here, "val" could be a function instead of a buffer
 });
});

:warning: IMPORTANT NOTE :warning:

You need to make sure that the payload that you received from the client is actually a Buffer object:

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 if (!Buffer.isBuffer(val)) {
 socket.disconnect();
 return;
 }
 // ...
 });
});

If that's already the case, then you are not impacted by this issue, and there is no way an attacker could make your server crash (or escalate privileges, ...).

Example of values that could be sent by a malicious user:

a number that is out of bounds

Sample packet: 451-["hello",{"_placeholder":true,"num":10}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is `undefined`
 });
});

a value that is not a number, like undefined

Sample packet: 451-["hello",{"_placeholder":true,"num":undefined}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is `undefined`
 });
});

a string that is part of the prototype of Array, like "push"

Sample packet: 451-["hello",{"_placeholder":true,"num":"push"}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is a reference to the "push" function
 });
});

a string that is part of the prototype of Object, like "hasOwnProperty"

Sample packet: 451-["hello",{"_placeholder":true,"num":"hasOwnProperty"}]

io.on("connection", (socket) => {
 socket.on("hello", (val) => {
 // val is a reference to the "hasOwnProperty" function
 });
});

This should be fixed by:

https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050, included in socket.io-parser@4.2.1
https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4, included in socket.io-parser@4.0.5
https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14, included in socket.io-parser@3.4.2
https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983, included in socket.io-parser@3.3.3

Dependency analysis for the `socket.io` package

Dependency analysis for the `socket.io-client` package

Details about socket.io-parser@2.2.1

Summary:

Insufficient validation when decoding a Socket.IO packet

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in socket.io-parser@4.2.3
https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in socket.io-parser@3.4.3

Another fix has been released for the 3.3.x branch:

https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `socket.io-parser@3.3.4

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

Details about socket.io-parser@2.2.1

Version Details and Security Vulnerabilities

socket.io

Comparision Betweeen 1.1.0 and 1.0.6

Version 1.1.0 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

socket.io

Comparision Betweeen 1.1.0 and 1.0.6

Version 1.1.0 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

socket.io@1.1.0 GHSA-fxwf-4rqh-v8g3 4.3

socket.io@1.1.0 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

debug@0.7.4 GHSA-9vvw-cc9w-f27h 7.5

debug@0.7.4 GHSA-gxpj-cx7g-858c 3.7

Recommendation

engine.io@1.4.0 GHSA-j4f2-536g-r55m 7.5

engine.io@1.4.0 GHSA-r7qp-cfhv-p84w 6.5

Impact

Patches

Workarounds

For more information

ws@0.4.31 GHSA-2mhh-w6q8-5hxw N/A

Proof of Concept

Recommendation

ws@0.4.31 GHSA-6663-c963-2gqg N/A

Recommendation

ws@0.4.31 GHSA-5v72-xg48-5rpm 7.5

Proof of concept

Recommendation

parseuri@0.0.2 GHSA-6fx8-h7jm-663j 6.9

PoC

engine.io-client@1.4.0 GHSA-4r4m-hjwj-43p8 5.9

Recommendation

parsejson@0.0.1 GHSA-q75g-2496-mxpp N/A

Recommendation

socket.io-parser@2.2.1 GHSA-xfhh-g9f5-x4m4 7.5

socket.io-parser@2.2.1 GHSA-qm95-pgcg-qqfq 9.8

Dependency analysis for the socket.io package

Dependency analysis for the socket.io-client package

socket.io-parser@2.2.1 GHSA-cqmj-92xf-r6r9 6.9

Impact

Patches

Workarounds

For more information

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

socket.io@1.1.0 GHSA-fxwf-4rqh-v8g3 4.3

socket.io@1.1.0 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

debug@0.7.4 GHSA-9vvw-cc9w-f27h 7.5

debug@0.7.4 GHSA-gxpj-cx7g-858c 3.7

Recommendation

engine.io@1.4.0 GHSA-j4f2-536g-r55m 7.5

engine.io@1.4.0 GHSA-r7qp-cfhv-p84w 6.5

Impact

Patches

Workarounds

For more information

ws@0.4.31 GHSA-2mhh-w6q8-5hxw N/A

Proof of Concept

Recommendation

Dependency analysis for the `socket.io` package

Dependency analysis for the `socket.io-client` package

Dependency analysis for the `socket.io` package

Dependency analysis for the `socket.io-client` package