Information disclosure

Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on Math.random to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtainin...

CVE-2017-16031

Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on Math.random to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtainin...

CVE-2017-16031

Socket.io (pre-0.9.7) uses Math.random() to generate socket IDs, making them predictable. The vulnerability allows an attacker to guess a valid socket ID and gain unauthorized access to socket.io servers, potentially exposing sensitive information. The advisory editions in the connected documents...

console-io authentication bypass vulnerability

Cloud Commander is a Web file manager with console and editor. console-io is one of the Web-based console programs. A security vulnerability exists in console-io 2.2.13 and earlier versions, which stems from the program not configuring socket.io to perform authentication. A remote attacker could...

CVE-2016-10536

engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that node.js handles the rejectUnauthorized setting. If the value is something that evaluates ...

CVE-2016-10536

The CVE-2016-10536 issue affects engine.io-client (Socket.IO) prior to 1.6.9, where the client passes a settings object containing rejectUnauthorized; if not explicitly set, it can be passed as null, disabling certificate verification and exposing users to Man-in-the-Middle attacks. This behavior...

CVE-2016-10536

engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that node.js handles the rejectUnauthorized setting. If the value is something that evaluates ...

A WebSocket Manipulation Proxy: WSSiP

Short for “WebSocket/Socket.io Proxy”, this tool, written in Node.js, provides a user interface to capture, intercept, send custom messages and view all WebSocket and Socket.IO communications between the client and server. Upstream proxy support also means you can forward HTTP/HTTPS traffic to an...

Insecure randomness

Overview Affected versions of socket.io depend on Math.random to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization. Recommendation Update to v0.9...

CVE-2015-1482

Ansible Tower aka Ansible UI before 2.0.5 allows remote attackers to bypass authentication and obtain sensitive information via a websocket connection to socket.io/1/...