Socket: >> Socket.io Security Vulnerabilities
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-01-19
Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.
CVSS Score
7.5
EPSS Score
0.004
Published
2018-06-04