VYPR

npm package

socket.io

pkg:npm/socket.io

Vulnerabilities (3)

  • CVE-2024-38355HigJun 19, 2024
    affected < 2.5.1fixed 2.5.1

    Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been

  • CVE-2020-28481Jan 19, 2021
    affected < 2.4.0fixed 2.4.0

    The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

  • CVE-2017-16031HigJun 4, 2018
    affected < 0.9.7fixed 0.9.7

    Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers,