Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: vulnerability reported in [email protected] #4711

Closed
vince-fugnitto opened this issue May 9, 2023 · 2 comments
Closed

security: vulnerability reported in [email protected] #4711

vince-fugnitto opened this issue May 9, 2023 · 2 comments
Labels
to triage Waiting to be triaged by a member of the team

Comments

@vince-fugnitto
Copy link

Describe the bug

There is a security vulnerability reported in [email protected] which socket.io declares in it's dependencies:

socket.io/package.json

Line 52 in 3d44aae

"engine.io": "~6.4.1",

npm audit output:

$ npm audit
# npm audit report

cookiejar  <2.1.4
Severity: moderate
cookiejar Regular Expression Denial of Service via Cookie.parse function - https://github.com/advisories/GHSA-h452-7996-h45h
fix available via `npm audit fix`
node_modules/cookiejar

engine.io  5.1.0 - 6.4.1
Severity: high
engine.io Uncaught Exception vulnerability - https://github.com/advisories/GHSA-q9mw-68c2-j6m5
fix available via `npm audit fix`
node_modules/engine.io

2 vulnerabilities (1 moderate, 1 high)

To address all issues, run:
  npm audit fix

To Reproduce

  1. clone the repository
  2. perform npm audit
@vince-fugnitto vince-fugnitto added the to triage Waiting to be triaged by a member of the team label May 9, 2023
darrachequesne added a commit that referenced this issue May 10, 2023
@darrachequesne
chore: bump engine.io to version 6.4.2
12b0de4 
Reference: GHSA-q9mw-68c2-j6m5

Related: #4711
@darrachequesne
Copy link
Member

This should be fixed by 12b0de4. Thanks for the heads-up 👍

@vince-fugnitto
Copy link
Author

@darrachequesne thanks for the quick fix! When can we expect a new release?

dzad pushed a commit to dzad/socket.io that referenced this issue May 29, 2023
@darrachequesne
chore: bump engine.io to version 6.4.2
2993b7a 
Reference: GHSA-q9mw-68c2-j6m5

Related: socketio#4711
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
to triage Waiting to be triaged by a member of the team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@darrachequesne @vince-fugnitto