Insecure Defaults Allow MITM Over TLSengine.io-client
Affected versions of
engine.io-client do not verify certificates by default, and as such may be vulnerable to Man-in-the-Middle attacks.
The vulnerability is related to the way that node.js handles the
rejectUnauthorized setting. If the value is something that evaluates to false, such as undefined or null, certificate verification will be disabled.
Update to version 1.6.9 or later.
If you are unable to upgrade, ensure all calls to socket.io to have a
rejectedUnauthorized: true flag.
publishedAdvisory publishedApr 26th, 2016
reportedInitial report by David JohanssonApr 4th, 2016