Description
Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.
Remediation
References
https://nodesecurity.io/advisories/321
https://github.com/socketio/socket.io/pull/857
https://github.com/socketio/socket.io/issues/856
https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8
Related Vulnerabilities
CVE-2019-12418 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2016-6796 Vulnerability in maven package org.apache.tomcat:jasper
CVE-2023-30363 Vulnerability in npm package vconsole
CVE-2021-21429 Vulnerability in maven package org.openapitools:openapi-generator-maven-plugin
CVE-2017-3586 Vulnerability in maven package mysql:mysql-connector-java