Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated socket.io version to fix security issues with socket.io-parser and engine.io #3867

Merged

Conversation

sharmanikhil04
Copy link
Contributor

@sharmanikhil04 sharmanikhil04 commented Oct 10, 2023

A specially crafted Sokcet.IO packet can trigger an uncaught exception on Sokcet.IO Server , thus killing the Node.js process.
Refer CWE-754 : https://cwe.mitre.org/data/definitions/754.html , CWE-20 : https://cwe.mitre.org/data/definitions/20.html , CVE-2023-32695 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32695 )
Similarly, a specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. (Refer CWE-248 : https://cwe.mitre.org/data/definitions/248.html, CVE-2023-31125 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31125)
These are potential security risks which are introduced by using [email protected] and need to be addressed in order to maintain the security of applications using karma.

@google-cla
Copy link

google-cla bot commented Oct 10, 2023

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@sharmanikhil04 sharmanikhil04 changed the title Updated socket.io version to fix security issues with socket.io-parse… Updated socket.io version to fix security issues with socket.io-parser and engine.io Oct 10, 2023
@sharmanikhil04
Copy link
Contributor Author

@jginsburgn Can you please have a look at this PR ?

@sharmanikhil04
Copy link
Contributor Author

@juliemr Can you please have a look at this PR ?

@sharmanikhil04
Copy link
Contributor Author

@barrtender Can you please have a look at this PR ?

pmvald
pmvald previously approved these changes Feb 5, 2024
@pmvald pmvald force-pushed the feature/dependencyupdates branch 3 times, most recently from ae4eeba to 297255f Compare February 5, 2024 03:30
…cket.io-parser and engine.io

A specially crafted Sokcet.IO packet can trigger an uncaught exception on Sokcet.IO Server , thus killing the Node.js process.
Similarly, a specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
These are potential security risks which are introduced by using [email protected] and need to be addressed in order to maintain the security of applications using karma.
@pmvald pmvald merged commit 0bffce2 into karma-runner:master Feb 5, 2024
2 of 12 checks passed
@karmarunnerbot
Copy link
Member

🎉 This PR is included in version 6.4.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants