Socket.IO, a popular Node.js framework for real-time applications, released version 4.5.2 as an incremental update to its previous stable version 4.5.1. Examining the changes, several key distinctions emerge that are relevant for developers considering an upgrade. Notably, the socket.io-parser dependency saw an update, moving from version 4.0.4 in 4.5.1 to version 4.2.0 in 4.5.2. This update likely includes performance improvements, bug fixes, and potentially new features in parsing Socket.IO's custom protocol. Furthermore, superagent, a testing dependency, was bumped from version 6.1.0 to 8.0.0, which might affect the test suites of projects relying on Socket.IO. Version 4.5.2 also introduces changes to developer tooling, upgrading mocha to version 10.0.0 from 3.5.3, and tsd to version 0.21.0 from 0.17.0, which could affect how developers write and manage TypeScript definition files. The internal socket.io-client dev dependency was also updated to match the server version. The unpacked size also increased to 1081846 from 1033526.
Finally, the release dates signify an approximately three-month gap between versions, with 4.5.1 released in May 2022 and 4.5.2 in September 2022. Considering these changes, developers of Socket.IO that are looking to upgrade, should pay specific attention to the socket.io-parser updates and potential impacts on existing parsing logic.
All the vulnerabilities related to the version 4.5.2 of the package
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.
engine.io Uncaught Exception vulnerability
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
at Server.onWebSocket (build/server.js:515:67)
This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.
A fix has been released today (2023/05/02): 6.4.2
This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.
For socket.io users:
| Version range | engine.io version | Needs minor update? |
|-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------|
| socket.io@4.6.x | ~6.4.0 | npm audit fix should be sufficient |
| socket.io@4.5.x | ~6.2.0 | Please upgrade to socket.io@4.6.x |
| socket.io@4.4.x | ~6.1.0 | Please upgrade to socket.io@4.6.x |
| socket.io@4.3.x | ~6.0.0 | Please upgrade to socket.io@4.6.x |
| socket.io@4.2.x | ~5.2.0 | Please upgrade to socket.io@4.6.x |
| socket.io@4.1.x | ~5.1.1 | Please upgrade to socket.io@4.6.x |
| socket.io@4.0.x | ~5.0.0 | Not impacted |
| socket.io@3.1.x | ~4.1.0 | Not impacted |
| socket.io@3.0.x | ~4.0.0 | Not impacted |
| socket.io@2.5.0 | ~3.6.0 | Not impacted |
| socket.io@2.4.x and below | ~3.5.0 | Not impacted |
There is no known workaround except upgrading to a safe version.
If you have any questions or comments about this advisory:
engine.ioThanks to Thomas Rinsma from Codean for the responsible disclosure.
ws affected by a DoS when handling a request with many HTTP headers
A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.server.maxHeadersCount to 0 so that no limit is applied.The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
cookie accepts cookie name, path, and domain with out of bounds characters
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.