Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need 2.4.x to upgrade to socket.io-parser@3.4.1 for security issue #1434

Closed
andrewaustin opened this issue Jan 9, 2021 · 2 comments
Closed

Need 2.4.x to upgrade to socket.io-parser@3.4.1 for security issue #1434

andrewaustin opened this issue Jan 9, 2021 · 2 comments

Comments

@andrewaustin
Copy link

andrewaustin commented Jan 9, 2021
edited

socket.io-parser version 3.3.1 is vulnerable to socketio/socket.io-parser#95.

socket.io-client 2.4.x is pinned to "socket.io-parser": "~3.3.0" so it will not pick up this security patch which is fixed in 3.4.1

socket.io-parser was lasted updated in this commit: 06e9a4c 2 years ago.

The diff of changes is here: https://github.com/socketio/socket.io-parser/compare/3.3.0..3.4.1
@andrewaustin andrewaustin mentioned this issue Jan 9, 2021
Closed
5 tasks
@darrachequesne
Copy link
Member

Hi! I backported the security fix in the 3.3.x branch and included it in 3.3.2.

Please note that the server part (which was indeed vulnerable) imports socket.io-parser@~3.4.0 (see here), which already includes the fix (the difference is due to the version of the debug dependency, which included some es6 code in latest versions).

Thanks for the heads-up! 👍

@andrewaustin
Copy link
Author

Perfect thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewaustin @darrachequesne