CVE-2016-10536 – engine.io-client

Package

Manager: npm
Name: engine.io-client
Vulnerable Version: >=0 <1.6.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00237 pctl0.46676

Details

Insecure Defaults Allow MITM Over TLS in engine.io-client Affected versions of `engine.io-client` do not verify certificates by default, and as such may be vulnerable to Man-in-the-Middle attacks. The vulnerability is related to the way that node.js handles the `rejectUnauthorized` setting. If the value is something that evaluates to false, such as undefined or null, certificate verification will be disabled. ## Recommendation Update to version 1.6.9 or later. If you are unable to upgrade, ensure all calls to socket.io to have a `rejectedUnauthorized: true` flag.

Metadata

Created: 2019-02-18T23:39:50Z
Modified: 2023-09-07T22:50:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-4r4m-hjwj-43p8/GHSA-4r4m-hjwj-43p8.json
CWE IDs: ["CWE-300"]
Alternative ID: GHSA-4r4m-hjwj-43p8
Finding: F332
Auto approve: 1