CVE-2016-10536

Name of the Vulnerable Software and Affected Versions engine.io-client versions 1.6.8 and earlier

Description The issue is related to the way node.js handles the rejectUnauthorized setting. If the value evaluates to false, such as when it is null or undefined, certificate verification will be disabled. This poses a problem as it may expose the application to Man-in-the-Middle attacks. The estimated number of potentially affected devices is not provided.

Recommendations Update to version 1.6.9 or later. If you are unable to upgrade, ensure all calls to socket.io have a rejectUnauthorized: true flag.