Skip to content

Update dependency socket.io to v4 [SECURITY] #194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency socket.io to v4 [SECURITY] #194

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Jun 19, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
socket.io (source) ^3.0.0^4.6.2 age confidence

GitHub Vulnerability Alerts

CVE-2024-38355

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Version range Needs minor update?
4.6.2...latest Nothing to do
3.0.0...4.6.1 Please upgrade to socket.io@4.6.2 (at least)
2.3.0...2.5.0 Please upgrade to socket.io@2.5.1

Patches

This issue is fixed by socketio/socket.io@15af22f, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: socketio/socket.io@d30630b

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

Release Notes

socketio/socket.io (socket.io)

v4.6.2

Compare Source

Bug Fixes
Links

v4.6.1

Compare Source

Bug Fixes
  • properly handle manually created dynamic namespaces (0d0a7a2)
  • types: fix nodenext module resolution compatibility (#​4625) (d0b22c6)
Links

v4.6.0

Compare Source

Bug Fixes
  • add timeout method to remote socket (#​4558) (0c0eb00)
  • typings: properly type emits with timeout (f3ada7d)
Features
Promise-based acknowledgements

This commit adds some syntactic sugar around acknowledgements:

  • emitWithAck()
try {
  const responses = await io.timeout(1000).emitWithAck("some-event");
  console.log(responses); // one response per client
} catch (e) {
  // some clients did not acknowledge the event in the given delay
}

io.on("connection", async (socket) => {
    // without timeout
  const response = await socket.emitWithAck("hello", "world");

  // with a specific timeout
  try {
    const response = await socket.timeout(1000).emitWithAck("hello", "world");
  } catch (err) {
    // the client did not acknowledge the event in the given delay
  }
});
  • serverSideEmitWithAck()
try {
  const responses = await io.timeout(1000).serverSideEmitWithAck("some-event");
  console.log(responses); // one response per server (except itself)
} catch (e) {
  // some servers did not acknowledge the event in the given delay
}

Added in 184f3cf.

Connection state recovery

This feature allows a client to reconnect after a temporary disconnection and restore its state:

  • id
  • rooms
  • data
  • missed packets

Usage:

import { Server } from "socket.io";

const io = new Server({
  connectionStateRecovery: {
    // default values
    maxDisconnectionDuration: 2 * 60 * 1000,
    skipMiddlewares: true,
  },
});

io.on("connection", (socket) => {
  console.log(socket.recovered); // whether the state was recovered or not
});

Here's how it works:

  • the server sends a session ID during the handshake (which is different from the current id attribute, which is public and can be freely shared)
  • the server also includes an offset in each packet (added at the end of the data array, for backward compatibility)
  • upon temporary disconnection, the server stores the client state for a given delay (implemented at the adapter level)
  • upon reconnection, the client sends both the session ID and the last offset it has processed, and the server tries to restore the state

The in-memory adapter already supports this feature, and we will soon update the Postgres and MongoDB adapters. We will also create a new adapter based on Redis Streams, which will support this feature.

Added in 54d5ee0.

Compatibility (for real) with Express middlewares

This feature implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle.

Syntax:

io.engine.use((req, res, next) => {
  // do something

  next();
});

// with express-session
import session from "express-session";

io.engine.use(session({
  secret: "keyboard cat",
  resave: false,
  saveUninitialized: true,
  cookie: { secure: true }
}));

// with helmet
import helmet from "helmet";

io.engine.use(helmet());

A workaround was possible by using the allowRequest option and the "headers" event, but this feels way cleaner and works with upgrade requests too.

Added in 24786e7.

Error details in the disconnecting and disconnect events

The disconnect event will now contain additional details about the disconnection reason.

io.on("connection", (socket) => {
  socket.on("disconnect", (reason, description) => {
    console.log(description);
  });
});

Added in 8aa9499.

Automatic removal of empty child namespaces

This commit adds a new option, "cleanupEmptyChildNamespaces". With this option enabled (disabled by default), when a socket disconnects from a dynamic namespace and if there are no other sockets connected to it then the namespace will be cleaned up and its adapter will be closed.

import { createServer } from "node:http";
import { Server } from "socket.io";

const httpServer = createServer();
const io = new Server(httpServer, {
  cleanupEmptyChildNamespaces: true
});

Added in 5d9220b.

A new "addTrailingSlash" option

The trailing slash which was added by default can now be disabled:

import { createServer } from "node:http";
import { Server } from "socket.io";

const httpServer = createServer();
const io = new Server(httpServer, {
  addTrailingSlash: false
});

In the example above, the clients can omit the trailing slash and use /socket.io instead of /socket.io/.

Added in d0fd474.

Performance Improvements
  • precompute the WebSocket frames when broadcasting (da2b542)
Links:

v4.5.4

Compare Source

This release contains a bump of:

Links:

v4.5.3

Compare Source

Bug Fixes
  • typings: accept an HTTP2 server in the constructor (d3d0a2d)
  • typings: apply types to "io.timeout(...).emit()" calls (e357daf)
Links:

v4.5.2

Compare Source

Bug Fixes
  • prevent the socket from joining a room after disconnection (18f3fda)
  • uws: prevent the server from crashing after upgrade (ba497ee)
Links:

v4.5.1

Compare Source

Bug Fixes
  • forward the local flag to the adapter when using fetchSockets() (30430f0)
  • typings: add HTTPS server to accepted types (#​4351) (9b43c91)
Links:

v4.5.0

Compare Source

Bug Fixes
Features
  • add support for catch-all listeners for outgoing packets (531104d)

This is similar to onAny(), but for outgoing packets.

Syntax:

socket.onAnyOutgoing((event, ...args) => {
  console.log(event);
});
  • broadcast and expect multiple acks (8b20457)

Syntax:

io.timeout(1000).emit("some-event", (err, responses) => {
  // ...
});
  • add the "maxPayload" field in the handshake details (088dcb4)

So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize
value.

This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as
we only add a field in the JSON-encoded handshake data:

0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000}
Links:

v4.4.1

Compare Source

Bug Fixes
Links:

v4.4.0

Compare Source

Bug Fixes
  • only set 'connected' to true after middleware execution (02b0f73)
Features
  • add an implementation based on uWebSockets.js (c0d8c5a)
const { App } = require("uWebSockets.js");
const { Server } = require("socket.io");

const app = new App();
const io = new Server();

io.attachApp(app);

io.on("connection", (socket) => {
  // ...
});

app.listen(3000, (token) => {
  if (!token) {
    console.warn("port already in use");
  }
});
socket.timeout(5000).emit("my-event", (err) => {
  if (err) {
    // the client did not acknowledge the event in the given delay
  }
});
interface SocketData {
  name: string;
  age: number;
}

const io = new Server<ClientToServerEvents, ServerToClientEvents, InterServerEvents, SocketData>();

io.on("connection", (socket) => {
  socket.data.name = "john";
  socket.data.age = 42;
});
Links:

v4.3.2

Compare Source

Bug Fixes
Links:

v4.3.1

Compare Source

Bug Fixes
Links:

v4.3.0

Compare Source

For this release, most of the work was done on the client side, see here.

Bug Fixes
  • typings: add name field to cookie option (#​4099) (033c5d3)
  • send volatile packets with binary attachments (dc81fcf)
Features
Links:

v4.2.0

Compare Source

Bug Fixes
  • typings: allow async listener in typed events (ccfd8ca)
Features
  • ignore the query string when serving client JavaScript (#​4024) (24fee27)
Links:

v4.1.3

Compare Source

Bug Fixes
  • fix io.except() method (94e27cd)
  • remove x-sourcemap header (a4dffc6)
Links:

v4.1.2

Compare Source

Bug Fixes
  • typings: ensure compatibility with TypeScript 3.x (0cb6ac9)
  • ensure compatibility with previous versions of the adapter (a2cf248)
Links:

v4.1.1

Compare Source

Bug Fixes
  • typings: properly type server-side events (b84ed1e)
  • typings: properly type the adapter attribute (891b187)
Links:

v4.1.0

Compare Source

Blog post: https://socket.io/blog/socket-io-4-1-0/

Features
  • add support for inter-server communication (93cce05)
  • notify upon namespace creation (499c892)
  • add a "connection_error" event (7096e98, from engine.io)
  • add the "initial_headers" and "headers" events (2527543, from engine.io)
Links:

v4.0.2

Compare Source

Bug Fixes
  • typings: make "engine" attribute public (b81ce4c)
  • properly export the Socket class (d65b6ee)
Links:

v4.0.1

Compare Source

Bug Fixes
Links:

v4.0.0

Compare Source

Blog post: https://socket.io/blog/socket-io-4-release/
Migration guide: https://socket.io/docs/v3/migrating-from-3-x-to-4-0/

Bug Fixes
  • make io.to(...) immutable (ac9e8ca)
Features
BREAKING CHANGES
  • io.to(...) now returns an immutable operator

Previously, broadcasting to a given room (by calling io.to()) would mutate the io instance, which could lead to surprising behaviors, like:

io.to("room1");
io.to("room2").emit(/* ... */); // also sent to room1

// or with async/await
io.to("room3").emit("details", await fetchDetails()); // random behavior: maybe in room3, maybe to all clients

Calling io.to() (or any other broadcast modifier) will now return an immutable instance.

Links:

v3.1.2

Compare Source

Bug Fixes
  • ignore packets received after disconnection (494c64e)
Links:

v3.1.1

Compare Source

Bug Fixes
  • properly parse the CONNECT packet in v2 compatibility mode (6f4bd7f)
  • typings: add return types and general-case overload signatures (#​3776) (9e8f288)
  • typings: update the types of "query", "auth" and "headers" (4f2e9a7)
Links:

v3.1.0

Compare Source

In order to ease the migration to Socket.IO v3, the v3 server is now able to communicate with v2 clients:

const io = require("socket.io")({
  allowEIO3: true // false by default
});

Note: the allowEIO3 refers to the version 3 of the Engine.IO protocol which is used in Socket.IO v2

Features
Bug Fixes
  • allow integers as event names (1c220dd)
Links:

v3.0.5

Compare Source

Bug Fixes
  • properly clear timeout on connection failure (170b739)
Reverts
  • restore the socket middleware functionality (bf54327)
Links:

v3.0.4

Compare Source

Links:

v3.0.3

Compare Source

Links:

v3.0.2

Compare Source

Bug Fixes
  • merge Engine.IO options (43705d7)
Links:

v3.0.1

Compare Source

Bug Fixes
  • export ServerOptions and Namespace types (#​3684) (f62f180)
  • typings: update the signature of the emit method (50671d9)
Links:

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from b86b009 to e6659e9 Compare June 27, 2024 10:53
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 8c585b5 to 808bb18 Compare July 14, 2024 14:26
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 7900829 to a842bfa Compare July 21, 2024 12:31
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 9342b19 to e77af90 Compare July 28, 2024 17:37
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 9785ef9 to c28cfa6 Compare October 9, 2024 13:54
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 2616557 to 312a891 Compare October 28, 2024 19:29
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 1deefcf to cdcaf81 Compare November 17, 2024 18:27
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 8a78096 to 551d0cc Compare December 2, 2024 15:44
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 4 times, most recently from c97d2cd to 7987a47 Compare December 22, 2024 19:31
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 977f687 to bbb2dea Compare January 15, 2025 02:59
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 3 times, most recently from b4fc32e to f3305c4 Compare January 30, 2025 16:45
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from f3305c4 to 9ad5dcf Compare January 30, 2025 23:12
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 6ab5105 to 4189a02 Compare February 9, 2025 18:38
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from d95e71f to 8e34005 Compare March 3, 2025 19:26
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from c3f354e to eea2891 Compare July 3, 2025 00:32
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 4 times, most recently from 22c839b to 7cfb513 Compare August 13, 2025 19:38
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 9926a4a to cf1c78a Compare August 19, 2025 20:45
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 4f91066 to efbfd08 Compare August 31, 2025 15:05
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from e56016b to 69495f6 Compare September 25, 2025 23:27
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 3d290f9 to 9136fda Compare October 22, 2025 08:53
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 0102406 to dfc1326 Compare November 11, 2025 05:25
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from b58319e to cec1f00 Compare November 19, 2025 01:47
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 3 times, most recently from 1ecab9c to c4a792a Compare December 10, 2025 11:53
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from c4a792a to bea057b Compare December 10, 2025 16:58
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 4 times, most recently from 0e3789d to da8f0e1 Compare December 31, 2025 23:00
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch 2 times, most recently from 271944f to 1ad94a9 Compare January 9, 2026 02:30
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from 1ad94a9 to e7828a7 Compare January 19, 2026 17:08
@renovate renovate bot force-pushed the renovate/npm-socket.io-vulnerability branch from e7828a7 to 5874969 Compare January 19, 2026 22:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants