Advisories for Npm/@Soketi/Soketi package

2023

Soketi was exposed to Sandbox Escape vulnerability via vm2

Impact What kind of vulnerability is it? Who is impacted? Anyone who might have used Soketi with the cluster driver (or through PM2). Patches Has the problem been patched? What versions should users upgrade to? Get the latest version of Soketi. Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? None. It's advised to upgrade to the latest version. References Are there any links …

2022

Zalgo-like output that crashes the server

Impact What kind of vulnerability is it? Who is impacted? colors package caused zalgo-like output (see https://github.com/soketi/soketi/issues/276, https://github.com/Marak/colors.js/issues/289), breaking the servers. Only NPM users that recently upgraded or installed the NPM package are affected. Docker users seem to not be affected as the dependencies were bundled at the time of the build, which were tested. Patches Has the problem been patched? What versions should users upgrade to? Latest patch. 0.26.1 …

Denial of Service in soketi

Impact What kind of vulnerability is it? Who is impacted? There was a wrong behavior when reading POST requests, making the server crash if it couldn't read the body. In case a POST request was sent to any endpoint of the server with an empty body, even unauthenticated with the Pusher Protocol, it would simply just crash the server for trying to send a response after the request closed. All …