CVE-2017-16031
NONE EPSS 78.3%
Published Jun 4, 20188y ago · Modified Jun 17, 20262w ago
Published Jun 4, 2018 8y ago
Last Modified Jun 17, 2026 2w ago
Description
Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.
Threat Intelligence
EPSS Exploit Probability
78.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-330
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| socket | socket.io | * | ≤0.9.6 |
References 4
- github.com https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8
- github.com https://github.com/socketio/socket.io/issues/856
- github.com https://github.com/socketio/socket.io/pull/857
- nodesecurity.io https://nodesecurity.io/advisories/321
Remediation
- github.com https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8