Version Details and Security Vulnerabilities

📦

socket.io

3.0.4

Comparision Betweeen 3.0.4 and 3.0.3

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

959.84 KB

959.94 KB

Version 3.0.4 Details

Socket.IO version 3.0.4 represents a small, but potentially important update over version 3.0.3 for developers utilizing this popular real-time communication library. Both versions share the same core dependencies, including debug, accepts, base64id, engine.io, @types/cors, @types/node, @types/cookie, socket.io-parser, and socket.io-adapter, ensuring a consistent foundation for building real-time applications. Similarly, the development dependencies related to testing, linting, and code formatting remain largely unchanged, indicating a continued commitment to code quality and maintainability.

The key difference lies in the updated version of the socket.io-client, used for client-side connections, updated to 3.0.4 to match the server version. Furthermore, nyc was updated from version 11.2.1 in v3.0.3 to version 15.1.0 in v3.0.4. Another change is the size of the unpacked package being almost identical, but having each a slightly different size worth noting: 982875 bytes for 3.0.4 and 982979 bytes for 3.0.3. Finally the release data, where version 3.0.4 was released on 2020-12-07, while version 3.0.3 was released on 2020-11-19. For developers already using Socket.IO 3.0.3, upgrading to 3.0.4 promises compatibility and benefits from any bug fixes or minor enhancements included in the synchronized client-side release. As always, checking the changelog for detailed release notes is recommended before upgrading to ensure a smooth transition.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

socket.io

3.0.4

Comparision Betweeen 3.0.4 and 3.0.3

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

959.84 KB

959.94 KB

Version 3.0.4 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 3.0.4 of the package socket.io.

All Security Vulnerabilities

All the vulnerabilities related to the version 3.0.4 of the package

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

| Version range | Needs minor update? | |------------------|------------------------------------------------| | 4.6.2...latest | Nothing to do | | 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) | | 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@3.0.4

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@4.1.1

Summary:

Uncaught Exception in engine.io

Details:

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14) at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22) at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10) at writeOrBuffer (internal/streams/writable.js:358:12)

This impacts all the users of the engine.io package starting from version 4.0.0, including those who uses depending packages like socket.io.

Patches

A fix has been released for each major branch:

| Version range | Fixed version | | --- | --- | | engine.io@4.x.x | 4.1.2 | | engine.io@5.x.x | 5.2.1 | | engine.io@6.x.x | 6.1.1 |

Previous versions (< 4.0.0) are not impacted.

For socket.io users:

| Version range | engine.io version | Needs minor update? | | --- | --- | --- | | socket.io@4.4.x | ~6.1.0 | - | socket.io@4.3.x | ~6.0.0 | Please upgrade to socket.io@4.4.x | socket.io@4.2.x | ~5.2.0 | - | socket.io@4.1.x | ~5.1.1 | Please upgrade to socket.io@4.4.x | socket.io@4.0.x | ~5.0.0 | Please upgrade to socket.io@4.4.x | socket.io@3.1.x | ~4.1.0 | - | socket.io@3.0.x | ~4.0.0 | Please upgrade to socket.io@3.1.x or socket.io@4.4.x (see here)

In most cases, running npm audit fix should be sufficient. You can also use npm update engine.io --depth=9999.

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

Details about engine.io@4.0.6

Summary:

Uncaught exception in engine.io

Details:

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

| Version range | Fixed version | |-------------------|---------------| | engine.io@3.x.y | 3.6.1 | | engine.io@6.x.y | 6.2.1 |

For socket.io users:

| Version range | engine.io version | Needs minor update? | |-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------| | socket.io@4.5.x | ~6.2.0 | npm audit fix should be sufficient | | socket.io@4.4.x | ~6.1.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.3.x | ~6.0.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.2.x | ~5.2.0 | Please upgrade to socket.io@4.5.x | | socket.io@4.1.x | ~5.1.1 | Please upgrade to socket.io@4.5.x | | socket.io@4.0.x | ~5.0.0 | Please upgrade to socket.io@4.5.x | | socket.io@3.1.x | ~4.1.0 | Please upgrade to socket.io@4.5.x (see here) | | socket.io@3.0.x | ~4.0.0 | Please upgrade to socket.io@4.5.x (see here) | | socket.io@2.5.0 | ~3.6.0 | npm audit fix should be sufficient | | socket.io@2.4.x and below | ~3.5.0 | Please upgrade to socket.io@2.5.0 |

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

Details about engine.io@4.0.6

Summary:

ws affected by a DoS when handling a request with many HTTP headers

Details:

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231

Details about ws@7.4.6

Summary:

cookie accepts cookie name, path, and domain with out of bounds characters

Details:

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

https://github.com/jshttp/cookie/pull/167

Details about cookie@0.4.2

Summary:

Insufficient validation when decoding a Socket.IO packet

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in socket.io-parser@4.2.3
https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in socket.io-parser@3.4.3

Another fix has been released for the 3.3.x branch:

https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `socket.io-parser@3.3.4

| socket.io version | socket.io-parser version | Needs minor update? | |---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------| | 4.5.2...latest | ~4.2.0 (ref) | npm audit fix should be sufficient | | 4.1.3...4.5.1 | ~4.1.1 (ref) | Please upgrade to socket.io@4.6.x | | 3.0.5...4.1.2 | ~4.0.3 (ref) | Please upgrade to socket.io@4.6.x | | 3.0.0...3.0.4 | ~4.0.1 (ref) | Please upgrade to socket.io@4.6.x | | 2.3.0...2.5.0 | ~3.4.0 (ref) | npm audit fix should be sufficient |

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

Details about socket.io-parser@4.0.5

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 3.0.4 of the package socket.io.

All Security Vulnerabilities

All the vulnerabilities related to the version 3.0.4 of the package

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@3.0.4

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@4.1.1

Summary:

Uncaught Exception in engine.io

Details:

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14) at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22) at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10) at writeOrBuffer (internal/streams/writable.js:358:12)

This impacts all the users of the engine.io package starting from version 4.0.0, including those who uses depending packages like socket.io.

Patches

A fix has been released for each major branch:

| Version range | Fixed version | | --- | --- | | engine.io@4.x.x | 4.1.2 | | engine.io@5.x.x | 5.2.1 | | engine.io@6.x.x | 6.1.1 |

Previous versions (< 4.0.0) are not impacted.

For socket.io users:

In most cases, running npm audit fix should be sufficient. You can also use npm update engine.io --depth=9999.

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

Details about engine.io@4.0.6

Summary:

Uncaught exception in engine.io

Details:

Impact

A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.

Patches

A fix has been released today (2022/11/20):

| Version range | Fixed version | |-------------------|---------------| | engine.io@3.x.y | 3.6.1 | | engine.io@6.x.y | 6.2.1 |

For socket.io users:

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open an issue in engine.io

Thanks to Jonathan Neve for the responsible disclosure.

Details about engine.io@4.0.6

Summary:

ws affected by a DoS when handling a request with many HTTP headers

Details:

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231

Details about ws@7.4.6

Summary:

cookie accepts cookie name, path, and domain with out of bounds characters

Details:

Impact

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

https://github.com/jshttp/cookie/pull/167

Details about cookie@0.4.2

Summary:

Insufficient validation when decoding a Socket.IO packet

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in socket.io-parser@4.2.3
https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in socket.io-parser@3.4.3

Another fix has been released for the 3.3.x branch:

https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4, included in `socket.io-parser@3.3.4

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

Details about socket.io-parser@4.0.5

Version Details and Security Vulnerabilities

socket.io

Comparision Betweeen 3.0.4 and 3.0.3

Version 3.0.4 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

socket.io

Comparision Betweeen 3.0.4 and 3.0.3

Version 3.0.4 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

socket.io@3.0.4 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

debug@4.1.1 GHSA-gxpj-cx7g-858c 3.7

Recommendation

engine.io@4.0.6 GHSA-273r-mgr4-v34f 7.5

Impact

Patches

Workarounds

For more information

engine.io@4.0.6 GHSA-r7qp-cfhv-p84w 6.5

Impact

Patches

Workarounds

For more information

ws@7.4.6 GHSA-3h5v-q93c-6h6q 8.7

Impact

Proof of concept

Patches

Workarounds

Credits

References

cookie@0.4.2 GHSA-pxg6-pf52-xh8x N/A

Impact

Patches

Workarounds

References

socket.io-parser@4.0.5 GHSA-cqmj-92xf-r6r9 6.9

Impact

Patches

Workarounds

For more information

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

socket.io@3.0.4 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

debug@4.1.1 GHSA-gxpj-cx7g-858c 3.7

Recommendation

engine.io@4.0.6 GHSA-273r-mgr4-v34f 7.5

Impact

Patches

Workarounds

For more information

engine.io@4.0.6 GHSA-r7qp-cfhv-p84w 6.5

Impact

Patches

Workarounds

For more information

ws@7.4.6 GHSA-3h5v-q93c-6h6q 8.7

Impact

Proof of concept

Patches

Workarounds