10000 [dist] Update dependency socket.io [SECURITY] by renovate[bot] · Pull Request #1501 · http-party/node-http-proxy · GitHub
[go: up one dir, main page]
Skip to content

[dist] Update dependency socket.io [SECURITY] #1501

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[dist] Update dependency socket.io [SECURITY] #1501

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor
@renovate renovate bot commented Jan 23, 2021
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
socket.io (source) 2.2.0 -> 2.5.1 age adoption passing confidence
socket.io (source) ~0.9.16 -> ~4.8.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-28481

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

CVE-2024-38355

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Version range Needs minor update?
4.6.2...latest Nothing to do
3.0.0...4.6.1 Please upgrade to socket.io@4.6.2 (at least)
2.3.0...2.5.0 Please upgrade to socket.io@2.5.1

Patches

This issue is fixed by socketio/socket.io@15af22f, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: socketio/socket.io@d30630b

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

Release Notes

socketio/socket.io (socket.io)

v2.5.1

Compare Source

Bug Fixes
  • add a noop handler for the error event (d30630b)
Links:

v2.5.0

Compare Source

⚠️ WARNING ⚠️

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: GHSA-j4f2-536g-r55m

Bug Fixes
  • fix race condition in dynamic namespaces (05e1278)
  • ignore packet received after disconnection (22d4bdf)
  • only set 'connected' to true after middleware execution (226cc16)
  • prevent the socket from joining a room after disconnection (f223178)
Links:

v2.4.1

Compare Source

This release reverts the breaking change introduced in 2.4.0 (socketio/socket.io@f78a575).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

  • without CORS (server and client are served from the same domain):
const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});
  • with CORS (server and client are served from distinct domains):
io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts
  • fix(security): do not allow all origins by default (a169050)
Links:

v2.4.0

Compare Source

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)
  • add support for all cookie options (19cc582)
  • disable perMessageDeflate by default (5ad2736)
Bug Fixes
  • security: do not allow all origins by default (f78a575)
  • properly overwrite the query sent in the handshake (d33a619)

⚠️ BREAKING CHANGE ⚠️

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

  • you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
  • you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

See also:

Thanks a lot to @​ni8walk3r for the security report.

Links:

v2.3.0

Compare Source

This release mainly contains a bump of the engine.io and ws packages, but no additional features.

Links:

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@codecov-io
Copy link
codecov-io commented Jan 23, 2021
edited
Loading

Codecov Report

Merging #1501 (246460b) into master (9b96cd7) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #1501   +/-   ##
=======================================
  Coverage   92.38%   92.38%           
=======================================
  Files           6        6           
  Lines         315      315           
=======================================
  Hits          291      291           
  Misses         24       24

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9b96cd7...246460b. Read the comment docs.

@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 246460b to 679e81c Compare February 9, 2021 11:57
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.4.0 [SECURITY] [dist] Update dependency socket.io to 2.4.0 [SECURITY] May 9, 2021
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 679e81c to 4c6335c Compare September 25, 2022 23:00
@renovate renovate bot changed the title [dist] Update dependency socket.io to 2.4.0 [SECURITY] [dist] Update dependency socket.io to v2.4.0 [SECURITY] Mar 24, 2023
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.4.0 [SECURITY] [dist] Update dependency socket.io [SECURITY] Apr 17, 2023
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 4c6335c to a054e0a Compare April 17, 2023 11:40
@renovate renovate bot changed the title [dist] Update dependency socket.io [SECURITY] [dist] Update dependency socket.io to v2.4.0 [SECURITY] Apr 17, 2023
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from a054e0a to efed143 Compare April 1 10000 7, 2023 15:20
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.4.0 [SECURITY] [dist] Update dependency socket.io [SECURITY] May 28, 2023
@renovate renovate bot changed the title [dist] Update dependency socket.io [SECURITY] [dist] Update dependency socket.io to v2.4.0 [SECURITY] Jun 1, 2023
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from b26982c to 063a896 Compare June 4, 2023 13:45
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.4.0 [SECURITY] [dist] Update dependency socket.io [SECURITY] Jun 4, 2023
@renovate renovate bot changed the title [dist] Update dependency socket.io [SECURITY] [dist] Update dependency socket.io to v2.4.0 [SECURITY] Jun 4, 2023
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 063a896 to e5596dc Compare June 4, 2023 15:24
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.4.0 [SECURITY] [dist] Update dependency socket.io [SECURITY] Jun 9, 2023
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from e5596dc to f9c1c2f Compare June 9, 2023 02:28
@renovate renovate bot changed the title [dist] Update dependency socket.io [SECURITY] [dist] Update dependency socket.io to v2.4.0 [SECURITY] Jun 9, 2023
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from f9c1c2f to d1284bd Compare June 9, 2023 04:20
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.4.0 [SECURITY] [dist] Update dependency socket.io [SECURITY] Jun 13, 2023
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from d1284bd to 47cac40 Compare June 13, 2023 13:57
@renovate renovate bot changed the title [dist] Update dependency socket.io [SECURITY] [dist] Update dependency socket.io to v2.4.0 [SECURITY] Jun 13, 2023
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 47cac40 to ae3ee24 Compare June 13, 2023 17:41
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.4.0 [SECURITY] [dist] Update dependency socket.io [SECURITY] Jun 18, 2023
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from ae3ee24 to fb8c964 Compare June 18, 2023 09:03
@renovate renovate bot changed the title [dist] Update dependency socket.io [SECURITY] [dist] Update dependency socket.io to v2.4.0 [SECURITY] Jun 18, 2023
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from fb8c964 to 1544201 Compare June 18, 2023 12:15
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.4.0 [SECURITY] [dist] Update dependency socket.io [SECURITY] Jun 19, 2023
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 1544201 to 1d7d5e8 Compare June 19, 2023 07:31
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.5.1 [SECURITY] [dist] Update dependency socket.io [SECURITY] Mar 17, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 0ace641 to f056b13 Compare March 17, 2025 23:37
@renovate renovate bot changed the title [dist] Update dependency socket.io [SECURITY] [dist] Update dependency socket.io to v2.5.1 [SECURITY] Mar 17, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from f056b13 to 28d1ca4 Compare April 1, 2025 13:44
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.5.1 [SECURITY] [dist] Update dependency socket.io [SECURITY] Apr 1, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 28d1ca4 to 07255b8 Compare April 1, 2025 19:45
@renovate renovate bot changed the title [dist] Update dependency socket.io [SECURITY] [dist] Update dependency socket.io to v2.5.1 [SECURITY] Apr 1, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 07255b8 to db28183 Compare April 24, 2025 15:05
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.5.1 [SECURITY] [dist] Update dependency socket.io [SECURITY] Apr 24, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from db28183 to 6bd9156 Compare April 24, 2025 19:47
@renovate renovate bot changed the title [dist] Update dependency socket.io [SECURITY] [dist] Update dependency socket.io to v2.5.1 [SECURITY] Apr 24, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 6bd9156 to a238691 Compare May 7, 2025 11:48
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.5.1 [SECURITY] [dist] Update dependency socket.io [SECURITY] May 7, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from a238691 to 480e186 Compare May 7, 2025 17:07
@renovate renovate bot changed the title [dist] Update dependency socket.io [SECURITY] [dist] Update dependency socket.io to v2.5.1 [SECURITY] May 7, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 480e186 to f63b895 Compare May 13, 2025 12:24
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.5.1 [SECURITY] [dist] Update dependency socket.io [SECURITY] May 13, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from f63b895 to 5d0d5bd Compare May 13, 2025 20:19
@renovate renovate bot changed the title [dist] Update dependency socket.io [SECURITY] [dist] Update dependency socket.io to v2.5.1 [SECURITY] May 13, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 5d0d5bd to 1b88070 Compare May 19, 2025 16:35
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.5.1 [SECURITY] [dist] Update dependency socket.io [SECURITY] May 19, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 1b88070 to b560df4 Compare May 19, 2025 23:38
@renovate renovate bot changed the title [dist] Update dependency socket.io [SECURITY] [dist] Update dependency socket.io to v2.5.1 [SECURITY] May 19, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from b560df4 to 9150363 Compare May 28, 2025 13:33
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.5.1 [SECURITY] [dist] Update dependency socket.io [SECURITY] May 28, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 9150363 to dd587ea Compare May 28, 2025 19:22
@renovate renovate bot changed the title [dist] Update dependency socket.io [SECURITY] [dist] Update dependency socket.io to v2.5.1 [SECURITY] May 28, 2025
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from dd587ea to 409b556 Compare June 4, 2025 11:24
@renovate renovate bot changed the title [dist] Update dependency socket.io to v2.5.1 [SECURITY] [dist] Update dependency socket.io [SECURITY] Jun 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@codecov-io
0