npm

Severity: moderate

Insecure Defaults Allow MITM Over TLS

engine.io-client

Overview

Affected versions of engine.io-client do not verify certificates by default, and as such may be vulnerable to Man-in-the-Middle attacks.

The vulnerability is related to the way that node.js handles the rejectUnauthorized setting. If the value is something that evaluates to false, such as undefined or null, certificate verification will be disabled.

Remediation

Update to version 1.6.9 or later.

If you are unable to upgrade, ensure all calls to socket.io to have a rejectedUnauthorized: true flag.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Apr 26th, 2016
  2. reported

    Initial report by David Johansson
    Apr 4th, 2016