Vulnerability Description
Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Socket | Socket.Io | <= 0.9.6 |
Related Weaknesses (CWE)
References
- https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2bIssue TrackingPatchThird Party Advisory
- https://github.com/socketio/socket.io/issues/856Issue TrackingThird Party Advisory
- https://github.com/socketio/socket.io/pull/857Issue TrackingThird Party Advisory
- https://nodesecurity.io/advisories/321Third Party Advisory
- https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2bIssue TrackingPatchThird Party Advisory
- https://github.com/socketio/socket.io/issues/856Issue TrackingThird Party Advisory
- https://github.com/socketio/socket.io/pull/857Issue TrackingThird Party Advisory
- https://nodesecurity.io/advisories/321Third Party Advisory
FAQ
What is CVE-2017-16031?
CVE-2017-16031 is a vulnerability with a CVSS score of 7.5 (HIGH). Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. ...
How severe is CVE-2017-16031?
CVE-2017-16031 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-16031?
Check the references section above for vendor advisories and patch information. Affected products include: Socket Socket.Io.