Advisories for Npm/Socket.io package

2024

socket.io has an unhandled 'error' event

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. node:events:502 throw err; // Unhandled 'error' event ^ Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined) at new NodeError (node:internal/errors:405:5) at Socket.emit (node:events:500:17) at /myapp/node_modules/socket.io/lib/socket.js:531:14 at process.processTicksAndRejections (node:internal/process/task_queues:77:11) { code: 'ERR_UNHANDLED_ERROR', context: undefined }

2021
2018
2013
2012

Insecure randomness

Because socket.io depends on Math.random() to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.