CVE-2017-16031
N/A
N/A
Summary
Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on Math.random() to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| HackerOne | socket.io node module | <=0.9.6 | affected |
Weaknesses
- Account Hijacking
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8
- https://github.com/socketio/socket.io/issues/856
- https://github.com/socketio/socket.io/pull/857
- https://nodesecurity.io/advisories/321
References
- https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8
- https://github.com/socketio/socket.io/issues/856
- https://github.com/socketio/socket.io/pull/857
- https://nodesecurity.io/advisories/321
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.