PT-2018-6061 · Socket.Io · Socket.Io
Published
2018-06-04
·
Updated
2018-11-07
·
CVE-2017-16031
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
socket.io versions 0.9.6 and earlier
Description:
The issue concerns the predictability of socket IDs in socket.io, which are generated using
Math.random(). This predictability allows an attacker to guess the socket ID, potentially gaining unauthorized access to socket.io servers and obtaining sensitive information.Recommendations:
Update to v0.9.7 or later.
Fix
Use of Insufficiently Random Values
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Socket.Io