Insecure Defaults Affecting engine.io-client Open this link in a new tab package, versions [,1.6.9)


0.0
high
  • Attack Complexity

    Low

  • Confidentiality

    High

  • Integrity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-DOTNET-ENGINEIOCLIENT-60149

  • published

    26 Apr 2016

  • disclosed

    26 Apr 2016

  • credit

    David Johansson

How to fix?

Update to version 1.6.9 or greater.

If a direct dependency update is not possible, use snyk wizard to patch this vulnerability.

Overview

engine.io-client, the client for engine.io and socket.io, disables the core SSL/TLS verification checks by default.

This allows an active attacker, for instance one operating a malicious WiFi, to intercept these encrypted connections using the attacker's spoofed certificate and keys. Doing so compromises the data communicated over this channel, as well as allowing an attacker to impersonate both the server and the client during the live session, sending spoofed data to either side.