Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2017-16031

UNKNOWN
Published 2018-06-04T19:00:00Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2017-16031. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

HackerOne

socket.io node module

Affected Versions:

<=0.9.6

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Insecure randomness in socket.io

GHSA-qv2v-m59f-v5fw

Advisory Details

Affected versions of `socket.io` depend on `Math.random()` to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization. ## Recommendation Update to v0.9.7 or later.

Affected Packages

npm socket.io
ECOSYSTEM: ≥0 <0.9.7

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-16031
WEB https://github.com/socketio/socket.io/issues/856
WEB https://github.com/socketio/socket.io/pull/857
WEB https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8
ADVISORY https://github.com/advisories/GHSA-qv2v-m59f-v5fw
PACKAGE https://github.com/socketio/socket.io
WEB https://www.npmjs.com/advisories/321

Advisory provided by GitHub Security Advisory Database. Published: November 7, 2018, Modified: September 16, 2021

References

https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8
https://github.com/socketio/socket.io/issues/856
https://github.com/socketio/socket.io/pull/857
https://nodesecurity.io/advisories/321
Published: 2018-06-04T19:00:00Z
Last Modified: 2024-09-16T21:07:25.207Z
Copied to clipboard!