CVE-2016-10536: Improper Certificate Validation

May 31, 2018 (updated October 9, 2019)

engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that Node.js handles the rejectUnauthorized setting. If the value is something that evaluates to false, certificate verification will be disabled.

References

nvd.nist.gov/vuln/detail/CVE-2016-10536

Detect and mitigate CVE-2016-10536 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →