mirror of
https://github.com/socketio/socket.io.git
synced 2026-01-06 21:54:05 -05:00
6.2 KiB
6.2 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| 4.x | ✅ |
| 3.x | ✅ |
| 2.4.x | ✅ |
| < 2.4.0 | ❌ |
Reporting a Vulnerability
To report a security vulnerability in this package, please send an email to @darrachequesne (see address in profile) describing the vulnerability and how to reproduce it.
We will get back to you as soon as possible and publish a fix if necessary.
⚠️ IMPORTANT ⚠️ please do not create an issue in this repository, as attackers might take advantage of it. Thank you in advance for your responsible disclosure.
History
For the socket.io package
| Date | Description | CVE number | Affected versions | Patched versions |
|---|---|---|---|---|
| July 2012 | Insecure randomness | CVE-2017-16031 |
<= 0.9.6 |
0.9.7 |
| January 2021 | CORS misconfiguration | CVE-2020-28481 |
< 2.4.0 |
2.4.0 |
| June 2024 | Unhandled 'error' event | CVE-2024-38355 |
< 2.5.1 >= 3.0.0, < 4.6.2 |
2.5.1 4.6.2 |
From the transitive dependencies:
| Date | Dependency | Description | CVE number |
|---|---|---|---|
| January 2016 | ws |
Buffer vulnerability | CVE-2016-10518 |
| January 2016 | ws |
DoS due to excessively large websocket message | CVE-2016-10542 |
| November 2017 | ws |
DoS in the Sec-Websocket-Extensions header parser |
- |
| February 2020 | engine.io |
Resource exhaustion | CVE-2020-36048 |
| January 2021 | socket.io-parser |
Resource exhaustion | CVE-2020-36049 |
| May 2021 | ws |
ReDoS in Sec-Websocket-Protocol header |
CVE-2021-32640 |
| January 2022 | engine.io |
Uncaught exception | CVE-2022-21676 |
| October 2022 | socket.io-parser |
Insufficient validation when decoding a Socket.IO packet | CVE-2022-2421 |
| November 2022 | engine.io |
Uncaught exception | CVE-2022-41940 |
| May 2023 | engine.io |
Uncaught exception | CVE-2023-31125 |
| May 2023 | socket.io-parser |
Insufficient validation when decoding a Socket.IO packet | CVE-2023-32695 |
| June 2024 | ws |
DoS when handling a request with many HTTP headers | CVE-2024-37890 |
For the socket.io-client package
From the transitive dependencies:
| Date | Dependency | Description | CVE number |
|---|---|---|---|
| January 2016 | ws |
Buffer vulnerability | CVE-2016-10518 |
| January 2016 | ws |
DoS due to excessively large websocket message | CVE-2016-10542 |
| October 2016 | engine.io-client |
Insecure Defaults Allow MITM Over TLS | CVE-2016-10536 |
| November 2017 | ws |
DoS in the Sec-Websocket-Extensions header parser |
- |
| January 2021 | socket.io-parser |
Resource exhaustion | CVE-2020-36049 |
| May 2021 | ws |
ReDoS in Sec-Websocket-Protocol header |
CVE-2021-32640 |
| October 2022 | socket.io-parser |
Insufficient validation when decoding a Socket.IO packet | CVE-2022-2421 |
| May 2023 | socket.io-parser |
Insufficient validation when decoding a Socket.IO packet | CVE-2023-32695 |
| June 2024 | ws |
DoS when handling a request with many HTTP headers | CVE-2024-37890 |