Description
Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.
Remediation
References
https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8
https://github.com/socketio/socket.io/issues/856
https://github.com/socketio/socket.io/pull/857
https://nodesecurity.io/advisories/321
Related Vulnerabilities
CVE-2022-45143 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2021-32817 Vulnerability in npm package express-hbs
CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-standard-processors
CVE-2014-3651 Vulnerability in maven package org.keycloak:keycloak-services
CVE-2018-20677 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap