Severity: critical

Authentication Bypass



Affected versions of the console-io package do not configure the underlying websocket library to require authentication, resulting in an authentication bypass vulnerability. As console-io allows terminal access on the server via a web page, an authentication bypass is essentially remote code execution.


Update to version 2.3.0 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Apr 18th, 2016
  2. reported

    Initial report by Craig Arendt
    Mar 28th, 2016