Socket.IO versions 4.7.1 and 4.7.0 are both node.js realtime framework server releases, with similar core functionalities and dependencies. A key difference resides in their devDependencies. In version 4.7.1 the socket.io-client version is updated to the 4.7.1 which is the same package version.
The dist object also reveals differences. Version 4.7.1 has a smaller tarball, file count (28 vs 36), and unpacked size (1281785 vs 2347222) compared to 4.7.0, suggesting potential optimizations like reduced package bloat, or removal of unnecessary assets. Furthermore, the release date indicates that version 4.7.1 was released on June 28, 2023, a few days after version 4.7.0 on June 22, 2023. This rapid release cycle suggests that version 4.7.1 may contain bug fixes or minor enhancements implemented shortly after the 4.7.0 release.
Developers should consider upgrading to version 4.7.1 to benefit from potential performance improvements, bug fixes, or security enhancements that could not be in 4.7.0. Reviewing the changelog between the two releases is essential to determine the specific changes and their potential impact on your application. This information helps ensure a smooth upgrade process and leverage the latest improvements offered by the Socket.IO library, confirming also that a fast fix was deployed to address potentially bugs in the client after the main release.
All the vulnerabilities related to the version 4.7.1 of the package
cookie accepts cookie name, path, and domain with out of bounds characters
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.
