Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency socket.io to v2.5.1 [SECURITY] #10

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 24, 2021

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
socket.io 2.0.2 -> 2.5.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-28481

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

CVE-2024-38355

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Version range Needs minor update?
4.6.2...latest Nothing to do
3.0.0...4.6.1 Please upgrade to [email protected] (at least)
2.3.0...2.5.0 Please upgrade to [email protected]

Patches

This issue is fixed by socketio/socket.io@15af22f, included in [email protected] (released in May 2023).

The fix was backported in the 2.x branch today: socketio/socket.io@d30630b

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References


Release Notes

socketio/socket.io (socket.io)

v2.5.1

Compare Source

Bug Fixes
  • add a noop handler for the error event (d30630b)
Links:

v2.5.0

Compare Source

⚠️ WARNING ⚠️

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: GHSA-j4f2-536g-r55m

Bug Fixes
  • fix race condition in dynamic namespaces (05e1278)
  • ignore packet received after disconnection (22d4bdf)
  • only set 'connected' to true after middleware execution (226cc16)
  • prevent the socket from joining a room after disconnection (f223178)
Links:

v2.4.1

Compare Source

Reverts
  • fix(security): do not allow all origins by default (a169050)

v2.4.0

Compare Source

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)
  • add support for all cookie options (19cc582)
  • disable perMessageDeflate by default (5ad2736)
Bug Fixes
  • security: do not allow all origins by default (f78a575)
  • properly overwrite the query sent in the handshake (d33a619)

⚠️ BREAKING CHANGE ⚠️

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

  • you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
  • you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

See also:

Thanks a lot to @​ni8walk3r for the security report.

Links:

v2.3.0

Compare Source

This release mainly contains a bump of the engine.io and ws packages, but no additional features.

Links:

v2.2.0

Compare Source

Features

  • add cache-control header when serving the client source (#​2907)

Bug fixes

  • throw an error when trying to access the clients of a dynamic namespace (#​3355)
Links

v2.1.1

Compare Source

Features

socket.local.to('room101').emit(/* */);

Bug fixes

(client) fire an error event on middleware failure for non-root namespace (https://github.com/socketio/socket.io-client/pull/1202)

Links:

v2.1.0

Compare Source

Features

// by default, the object is recursively scanned to check whether it contains some binary data
// in the following example, the check is skipped in order to improve performance
socket.binary(false).emit('plain-object', object);

// it also works at the namespace level
io.binary(false).emit('plain-object', object);
  • add support for dynamic namespaces (#​3195)
io.of(/^\/dynamic-\d+$/).on('connect', (socket) => {
  // socket.nsp.name = '/dynamic-101'
});

// client-side
const client = require('socket.io-client')('/dynamic-101');

Bug fixes

  • properly emit 'connect' when using a custom namespace (#​3197)
  • include the protocol in the origins check (#​3198)

Important note ⚠️ from Engine.IO 3.2.0 release

There are two non-breaking changes that are somehow quite important:

  • ws was reverted as the default wsEngine (https://github.com/socketio/engine.io/pull/550), as there was several blocking issues with uws. You can still use uws by running npm install uws --save in your project and using the wsEngine option:
var engine = require('engine.io');
var server = engine.listen(3000, {
  wsEngine: 'uws'
});
Links:

v2.0.4

Compare Source

Bug fixes

  • do not throw when receiving an unhandled error packet (#​3038)
  • reset rooms object before broadcasting from namespace (#​3039)
Links:

v2.0.3

Compare Source

Bug fixes

  • reset rooms object before broadcasting (#​2970)
  • fix middleware initialization (#​2969)
Links:

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 81fe63c to d230b04 Compare February 7, 2021 16:56
@renovate renovate bot changed the title Update dependency socket.io to v2.4.0 [SECURITY] Update dependency socket.io to 2.4.0 [SECURITY] Apr 26, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from d230b04 to b2530c9 Compare September 25, 2022 16:52
@renovate renovate bot changed the title Update dependency socket.io to 2.4.0 [SECURITY] Update dependency socket.io to v2.4.0 [SECURITY] Mar 24, 2023
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from b2530c9 to 14dd560 Compare June 19, 2024 16:45
@renovate renovate bot changed the title Update dependency socket.io to v2.4.0 [SECURITY] Update dependency socket.io to v2.5.1 [SECURITY] Jun 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants