Skip to content

Security: marknelissen/socket.io

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
4.x
3.x
2.4.x
< 2.4.0

Reporting a Vulnerability

To report a security vulnerability in this package, please send an email to @darrachequesne (see address in profile) describing the vulnerability and how to reproduce it.

We will get back to you as soon as possible and publish a fix if necessary.

⚠️ IMPORTANT ⚠️ please do not create an issue in this repository, as attackers might take advantage of it. Thank you in advance for your responsible disclosure.

History

For the socket.io package

Date Description CVE number Affected versions Patched versions
July 2012 Insecure randomness CVE-2017-16031 <= 0.9.6 0.9.7
January 2021 CORS misconfiguration CVE-2020-28481 < 2.4.0 2.4.0
June 2024 Unhandled 'error' event CVE-2024-38355 < 2.5.1
>= 3.0.0, < 4.6.2
2.5.1
4.6.2

From the transitive dependencies:

Date Dependency Description CVE number
January 2016 ws Buffer vulnerability CVE-2016-10518
January 2016 ws DoS due to excessively large websocket message CVE-2016-10542
November 2017 ws DoS in the Sec-Websocket-Extensions header parser -
February 2020 engine.io Resource exhaustion CVE-2020-36048
January 2021 socket.io-parser Resource exhaustion CVE-2020-36049
May 2021 ws ReDoS in Sec-Websocket-Protocol header CVE-2021-32640
January 2022 engine.io Uncaught exception CVE-2022-21676
October 2022 socket.io-parser Insufficient validation when decoding a Socket.IO packet CVE-2022-2421
November 2022 engine.io Uncaught exception CVE-2022-41940
May 2023 engine.io Uncaught exception CVE-2023-31125
May 2023 socket.io-parser Insufficient validation when decoding a Socket.IO packet CVE-2023-32695
June 2024 ws DoS when handling a request with many HTTP headers CVE-2024-37890

For the socket.io-client package

From the transitive dependencies:

Date Dependency Description CVE number
January 2016 ws Buffer vulnerability CVE-2016-10518
January 2016 ws DoS due to excessively large websocket message CVE-2016-10542
October 2016 engine.io-client Insecure Defaults Allow MITM Over TLS CVE-2016-10536
November 2017 ws DoS in the Sec-Websocket-Extensions header parser -
January 2021 socket.io-parser Resource exhaustion CVE-2020-36049
May 2021 ws ReDoS in Sec-Websocket-Protocol header CVE-2021-32640
October 2022 socket.io-parser Insufficient validation when decoding a Socket.IO packet CVE-2022-2421
May 2023 socket.io-parser Insufficient validation when decoding a Socket.IO packet CVE-2023-32695
June 2024 ws DoS when handling a request with many HTTP headers CVE-2024-37890

There aren’t any published security advisories