Critical vulnerability: Insufficient validation when decoding a Socket.IO packet

[salomedo]

Hello,

We are currently facing a critical vulnerability in our project that depends on karma.
GHSA-qm95-pgcg-qqfq

Steps to reproduce:
npm install
npm audit

Console message:

├─ socket.io-parser: 4.0.4                                                                                                                                 
│  ├─ Issue: Insufficient validation when decoding a Socket.IO packet                                                                                      
│  ├─ URL: https://github.com/advisories/GHSA-qm95-pgcg-qqfq                                                                                               
│  ├─ Severity: critical                                                                                                                                   
│  ├─ Vulnerable Versions:                                                                                                                           
│  ├─ Patched Versions: >=4.0.5                                                                                                                            
│  ├─ Via: karma, karma-htmlfile-reporter, karma-jasmine-html-reporter                                                                                     
│  └─ Recommendation: Upgrade to version 4.0.5 or later   

Thank you in advance.

[johnbumgardner]

yeah experienced the same thing.

[dep]

I've tried updating my Karma stack to 6.4.1 but a few of my Karma suites are halting/failing to complete. When I view in the browser, I see pending localhost/socket-io requests that never complete, they just restart after 30 seconds. Feels awfully related to either this dependency or socket.io-parser.

[johnbumgardner]

I've tried updating my Karma stack to 6.4.1 but a few of my Karma suites are halting/failing to complete. When I view in the browser, I see pending localhost/socket-io requests that never complete, they just restart after 30 seconds. Feels awfully related to either this dependency or socket.io-parser.

6.4.1 is using the vulnerable socket.io

i made a PR bumping it and waiting on it to get reviewed.

#3825

[dep]

I tried adding these two resolutions along with 6.4.1 but ran into the same problem.

"resolutions": {
    ...
    "**/socket.io": "4.5.2",
    "**/socket.io-parser": "4.2.1",
    ...
}

[amanyzohair]

I'm experiencing the same problem

[dep]

Any timeline on getting this PR merged?

[AllForNothing]

+1， waiting for the patch version...

[LucasLopesr]

+1， waiting for the patch version...

[efogarasi]

+1, we are also waiting for the patch version...

[amanyzohair]

+1, waiting for the patch version...