engine.io-client@0.7.5 vulnerabilities

Client for the realtime Engine

  • latest version

    6.6.2

  • latest non vulnerable version

  • first published

    12 years ago

  • latest version published

    1 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the engine.io-client package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Insecure Defaults

    engine.io-client, the client for engine.io and socket.io, disables the core SSL/TLS verification checks by default.

    This allows an active attacker, for instance one operating a malicious WiFi, to intercept these encrypted connections using the attacker's spoofed certificate and keys. Doing so compromises the data communicated over this channel, as well as allowing an attacker to impersonate both the server and the client during the live session, sending spoofed data to either side.

    How to fix Insecure Defaults?

    Update to version 1.6.9 or greater.

    If a direct dependency update is not possible, use snyk wizard to patch this vulnerability.

    <1.6.9