socket.io-parser - Insufficient validation when decoding a Socket.IO packet #5192

ritikaGupta4 · 2024-09-18T12:17:43Z

ritikaGupta4
Sep 18, 2024

What version of socket.io-client are you using?

socket.io-client v2.5.0

GHSA-cqmj-92xf-r6r9

Expected Behavior

The version of socket.io-client doesn't use a vulnerable version of socket.io-parser

Actual Behavior

npm audit report currently shows vulnerabilities.

darrachequesne · 2024-09-18T12:30:40Z

darrachequesne
Sep 18, 2024
Maintainer

Hi! [email protected] has been patched.

Reference: https://github.com/socketio/socket.io-parser/releases/tag/3.3.4

$ npm i socket.io-client@2

added 23 packages, changed 3 packages, and audited 49 packages in 1s

1 package is looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm ls socket.io-parser
socket.io@ /home/damien/git/socket.io
├─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
  └── [email protected]

0 replies

ritikaGupta4 · 2024-09-18T12:39:00Z

ritikaGupta4
Sep 18, 2024
Author

Do we have any stable version in 2.x.x for socket.io-client as we don't want to do major change.

1 reply

darrachequesne Sep 18, 2024
Maintainer

You should be able to bump socket.io-parser from 3.3.3 to 3.3.4. Would that work for you?

ritikaGupta4 · 2024-09-18T13:12:13Z

ritikaGupta4
Sep 18, 2024
Author

No, actually we aren't using socket.io-parser directly but socket.io-client so as a dependency it is creating the issue. Hence we need a stable version of socket.io-client.

5 replies

darrachequesne Sep 18, 2024
Maintainer

I understand. However, as [email protected] depends on socket.io-parser@~3.3.0 (please notice the ~ range), running npm audit fix or npm update socket.io-parser should bring the right version of the socket.io-parser package. Could you please check?

ritikaGupta4 Sep 19, 2024
Author

Tried this, but it shows already up-to-date

darrachequesne Sep 19, 2024
Maintainer

Oh, I see, that's because pnpm update does not update transitive dependencies. Could you please try with pnpm audit --fix followed by pnpm install?

Reference: https://pnpm.io/cli/audit#--fix

If it does not work, could you please indicate which version of pnpm you are using?

ritikaGupta4 Sep 19, 2024
Author

This also didn't work. It just added socket.io-parser in overrides.

pnpm version: 7.20.0

darrachequesne Sep 19, 2024
Maintainer

I'm out of ideas then... Maybe uninstall then reinstall the socket.io-client package?

socket.io-parser - Insufficient validation when decoding a Socket.IO packet #5192

Uh oh!

ritikaGupta4 Sep 18, 2024

What version of socket.io-client are you using?

Expected Behavior

Actual Behavior

Replies: 3 comments · 6 replies

Uh oh!

darrachequesne Sep 18, 2024 Maintainer

Uh oh!

ritikaGupta4 Sep 18, 2024 Author

Uh oh!

darrachequesne Sep 18, 2024 Maintainer

Uh oh!

ritikaGupta4 Sep 18, 2024 Author

Uh oh!

darrachequesne Sep 18, 2024 Maintainer

Uh oh!

ritikaGupta4 Sep 19, 2024 Author

Uh oh!

darrachequesne Sep 19, 2024 Maintainer

Uh oh!

Uh oh!

ritikaGupta4 Sep 19, 2024 Author

Uh oh!

darrachequesne Sep 19, 2024 Maintainer

ritikaGupta4
Sep 18, 2024

Replies: 3 comments 6 replies

darrachequesne
Sep 18, 2024
Maintainer

ritikaGupta4
Sep 18, 2024
Author

darrachequesne Sep 18, 2024
Maintainer

ritikaGupta4
Sep 18, 2024
Author

darrachequesne Sep 18, 2024
Maintainer

ritikaGupta4 Sep 19, 2024
Author

darrachequesne Sep 19, 2024
Maintainer

ritikaGupta4 Sep 19, 2024
Author

darrachequesne Sep 19, 2024
Maintainer