Do your applications use this vulnerable package?
Test your applications
Overview
socket.io
is a node.js realtime framework server.
Affected versions of the package are vulnerable to Insecure Randomness due to the cryptographically insecure Math.random
function which can produce predictable values and should not be used in security-sensitive context.
Remediation
Upgrade socket.io
to version 0.9.7 or higher.
References
CVSS Score
5.3
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityNone
-
AvailabilityNone
- Credit
- Martin Thomson
- CVE
- CVE-2017-16031
- CWE
- CWE-330
- Snyk ID
- npm:socket.io:20120323
- Disclosed
- 22 Mar, 2012
- Published
- 13 Feb, 2017