CVE-2017-16031
Last modified
CVE-2017-16031 is a vulnerability of currently unknown severity. Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. EPSS estimates a 2.00% chance of exploitation in the next 30 days.
Description
Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Socket | Socket.Io | <= 0.9.6 |
References
- https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8Issue Tracking, Patch, Third Party Advisory
- https://github.com/socketio/socket.io/issues/856Issue Tracking, Third Party Advisory
- https://github.com/socketio/socket.io/pull/857Issue Tracking, Third Party Advisory
- https://nodesecurity.io/advisories/321Third Party Advisory
- https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8Issue Tracking, Patch, Third Party Advisory
- https://github.com/socketio/socket.io/issues/856Issue Tracking, Third Party Advisory
- https://github.com/socketio/socket.io/pull/857Issue Tracking, Third Party Advisory
- https://nodesecurity.io/advisories/321Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-16031?
How severe is CVE-2017-16031?
How do I fix CVE-2017-16031?
Are you affected by CVE-2017-16031?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST