GHSA-qv2v-m59f-v5fw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qv2v-m59f-v5fw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-qv2v-m59f-v5fw/GHSA-qv2v-m59f-v5fw.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-qv2v-m59f-v5fw
- Aliases
- Published
- 2018-11-07T00:29:37Z
- Modified
- 2023-11-01T04:47:47.226009Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Insecure randomness in socket.io
- Details
-
Affected versions of
socket.iodepend onMath.random()to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.Recommendation
Update to v0.9.7 or later.
- Database specific
{ "cwe_ids": [ "CWE-330" ], "github_reviewed": true, "nvd_published_at": null, "severity": "HIGH", "github_reviewed_at": "2020-06-16T21:52:46Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-16031
- https://github.com/socketio/socket.io/issues/856
- https://github.com/socketio/socket.io/pull/857
- https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8
- https://github.com/advisories/GHSA-qv2v-m59f-v5fw
- https://github.com/socketio/socket.io
- https://www.npmjs.com/advisories/321
Affected packages
npm / socket.io
Package
- Name
- socket.io
- View open source insights on deps.dev
- Purl
- pkg:npm/socket.io