Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-4r4m-hjwj-43p8

GitHub Security Advisory

Insecure Defaults Allow MITM Over TLS in engine.io-client

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Affected versions of `engine.io-client` do not verify certificates by default, and as such may be vulnerable to Man-in-the-Middle attacks.

The vulnerability is related to the way that node.js handles the `rejectUnauthorized` setting. If the value is something that evaluates to false, such as undefined or null, certificate verification will be disabled.

## Recommendation

Update to version 1.6.9 or later.

If you are unable to upgrade, ensure all calls to socket.io to have a `rejectedUnauthorized: true` flag.

Affected Packages

npm engine.io-client
Affected versions: 0 (fixed in 1.6.9)

Related CVEs

CVE-2016-10536

Key Information

GHSA ID
GHSA-4r4m-hjwj-43p8
Published
February 18, 2019 11:39 PM
Last Modified
September 7, 2023 10:50 PM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
engine.io-client
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.