Insecure Defaults

Affecting engine.io-client package, versions <1.6.9

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

engine.io-client, the client for engine.io and socket.io, disables the core SSL/TLS verification checks by default.

This allows an active attacker, for instance one operating a malicious WiFi, to intercept these encrypted connections using the attacker's spoofed certificate and keys. Doing so compromises the data communicated over this channel, as well as allowing an attacker to impersonate both the server and the client during the live session, sending spoofed data to either side.

Remediation

Update to version 1.6.9 or greater.

If a direct dependency update is not possible, use snyk wizard to patch this vulnerability.

References

Snyk patch available for versions:

CVSS Score

8.1
high severity
  • Attack Vector
    Adjacent
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Credit
David Johansson
CVE
CVE-2016-10536
CWE
CWE-295 CWE-300
Snyk ID
npm:engine.io-client:20160426
Disclosed
26 Apr, 2016
Published
31 May, 2016