CVE-2017-16031
HIGH7.5EPSS 0.39%Insecure randomness in socket.io
Published: 11/7/2018Modified: 11/8/2023
Description
Affected versions of `socket.io` depend on `Math.random()` to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization. ## Recommendation Update to v0.9.7 or later.
Affected packages (1)
- npm/socket.iofrom 0, < 0.9.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-qv2v-m59f-v5fw
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-16031
- PATCHhttps://github.com/socketio/socket.io
- WEBhttps://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8
- WEBhttps://github.com/socketio/socket.io/issues/856
- WEBhttps://github.com/socketio/socket.io/pull/857
- WEBhttps://www.npmjs.com/advisories/321