MQTTnet
MQTTnet copied to clipboard
dotnet
MQTTnet.Extensions.WebSocket4Net uses several outdated and possibly vulnerable dependencies
Describe the feature request
The Library should not use outdated or vulnerable dependencies. Currently not maintained dependencies:
- WebSocket4Net
- SuperSocket.ClientEngine.Core
- System.Net.Security
- System.Security.Cryptography.X509Certificates (High Risk Vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057)
Which project is your feature request related to?
MQTTnet.Extensions.WebSocket4Net
Describe the solution you'd like
Outdated dependencies should be replaced by ones that are actively maintained.
Describe alternatives you've considered
None
Additional context
Dependency Graph of the Library:
It seems that WebSocket4Net is no longer maintained. The latest release is from 2018. So, I am afraid there is not much we can do about it. The only reason for having this extension is that the web socket implementation in the .NET Framework does not support several encryption algorithms.
For me the only option is to get rid of that extension completely. Or do you have another suggestion?
I don't know what the Library WebSocket4Net does, I just found out about the vulnerability through our toolset. I don't really have a suggestion apart from using a different library or creating necessary code to implement the missing features.
Is there an alternative way to use mqtt via websocket?
There is no need for the extension at all. The .NET Framework has proper support for WebSockets. The API from MQTTnet is the same. You basically can remove the WebSocket4Net extension from the project. The only reason why it was created in the past is that it has support for some encryption algorithms wich the .NET Version does not.
Starting with version 5.0.0.0 of this library the library WebSocket4Net will no longer be used because the extension library is no longer provided.