| Version | Supported |
|---|---|
| 4.x | ✅ |
| 3.x | ✅ |
| 2.4.x | ✅ |
| < 2.4.0 | ❌ |
To report a security vulnerability in this package, please send an email to @darrachequesne (see address in profile) describing the vulnerability and how to reproduce it.
We will get back to you as soon as possible and publish a fix if necessary.
| Date | Description | CVE number | Affected versions | Patched versions |
|---|---|---|---|---|
| July 2012 | Insecure randomness | CVE-2017-16031 |
<= 0.9.6 |
0.9.7 |
| January 2021 | CORS misconfiguration | CVE-2020-28481 |
< 2.4.0 |
2.4.0 |
| June 2024 | Unhandled 'error' event | CVE-2024-38355 |
< 2.5.1 >= 3.0.0, < 4.6.2 |
2.5.1 4.6.2 |
From the transitive dependencies:
| Date | Dependency | Description | CVE number |
|---|---|---|---|
| January 2016 | ws |
Buffer vulnerability | CVE-2016-10518 |
| January 2016 | ws |
DoS due to excessively large websocket message | CVE-2016-10542 |
| November 2017 | ws |
DoS in the Sec-Websocket-Extensions header parser |
- |
| February 2020 | engine.io |
Resource exhaustion | CVE-2020-36048 |
| January 2021 | socket.io-parser |
Resource exhaustion | CVE-2020-36049 |
| May 2021 | ws |
ReDoS in Sec-Websocket-Protocol header |
CVE-2021-32640 |
| January 2022 | engine.io |
Uncaught exception | CVE-2022-21676 |
| October 2022 | socket.io-parser |
Insufficient validation when decoding a Socket.IO packet | CVE-2022-2421 |
| November 2022 | engine.io |
Uncaught exception | CVE-2022-41940 |
| May 2023 | engine.io |
Uncaught exception | CVE-2023-31125 |
| May 2023 | socket.io-parser |
Insufficient validation when decoding a Socket.IO packet | CVE-2023-32695 |
| June 2024 | ws |
DoS when handling a request with many HTTP headers | CVE-2024-37890 |