Socket.IO version 4.7.5 represents a minor update to the popular Node.js real-time framework, building upon the foundation established by version 4.7.4. While both versions share core characteristics like the core dependencies (cors, debug, accepts, base64id, engine.io, socket.io-parser, and socket.io-adapter) and development tools (nyc, tsd, mocha, rimraf, ts-node, prettier, expect.js, supertest, superagent, typescript, @types/mocha, uWebSockets.js, and socket.io-client-v2), subtle changes under the hood impact the developer experience.
The key difference between the two version is in the updated socket.io-client dependency, updated to version 4.7.5 (it was version 4.7.4 in the previous version of the package).
Developers should note the release date difference—4.7.5 was released on March 14, 2024, while 4.7.4 came out on January 12, 2024—indicating that 4.7.5 incorporates recent fixes and improvements. Furthermore, the "unpackedSize" of 4.7.5 is slightly larger (1330340 bytes) compared to 4.7.4 (1318760 bytes), hinting that new code or assets have been added.
Socket.IO facilitates real-time, bidirectional communication between web clients and servers, making it ideal for building chat applications, collaborative tools, and live data dashboards. The framework's reliance on established libraries offers stability, while its MIT license ensures flexibility. The consistent repository URL and file count across versions suggest a commitment to maintaining project structure. Developers should always consult the official Socket.IO changelog for a comprehensive breakdown of specific fixes and enhancements introduced in version 4.7.5.
All the vulnerabilities related to the version 4.7.5 of the package
cookie accepts cookie name, path, and domain with out of bounds characters
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.
