High severity7.5NVD Advisory· Published Jun 4, 2018· Updated Jun 17, 2026
CVE-2017-16031
CVE-2017-16031
Description
Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on Math.random() to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
socket.ionpm | < 0.9.7 | 0.9.7 |
Affected products
2- HackerOne/socket.io node modulev5Range: <=0.9.6
Patches
Vulnerability mechanics
References
7- github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8nvdIssue TrackingPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-qv2v-m59f-v5fwghsaADVISORY
- github.com/socketio/socket.io/issues/856nvdIssue TrackingThird Party AdvisoryWEB
- github.com/socketio/socket.io/pull/857nvdIssue TrackingThird Party AdvisoryWEB
- nodesecurity.io/advisories/321nvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2017-16031ghsaADVISORY
- www.npmjs.com/advisories/321ghsaWEB
News mentions
0No linked articles in our index yet.