karma
karma copied to clipboard
Critical vulnerability: Insufficient validation when decoding a Socket.IO packet
Hello,
We are currently facing a critical vulnerability in our project that depends on karma. https://github.com/advisories/GHSA-qm95-pgcg-qqfq
Steps to reproduce:
npm install
npm audit
Console message:
├─ socket.io-parser: 4.0.4
│ ├─ Issue: Insufficient validation when decoding a Socket.IO packet
│ ├─ URL: https://github.com/advisories/GHSA-qm95-pgcg-qqfq
│ ├─ Severity: critical
│ ├─ Vulnerable Versions:
│ ├─ Patched Versions: >=4.0.5
│ ├─ Via: karma, karma-htmlfile-reporter, karma-jasmine-html-reporter
│ └─ Recommendation: Upgrade to version 4.0.5 or later
Thank you in advance.
yeah experienced the same thing.
I've tried updating my Karma stack to 6.4.1
but a few of my Karma suites are halting/failing to complete. When I view in the browser, I see pending
localhost/socket-io requests that never complete, they just restart after 30 seconds. Feels awfully related to either this dependency or socket.io-parser
.
I've tried updating my Karma stack to
6.4.1
but a few of my Karma suites are halting/failing to complete. When I view in the browser, I seepending
localhost/socket-io requests that never complete, they just restart after 30 seconds. Feels awfully related to either this dependency orsocket.io-parser
.
6.4.1 is using the vulnerable socket.io
i made a PR bumping it and waiting on it to get reviewed.
#3825
I tried adding these two resolutions along with 6.4.1
but ran into the same problem.
"resolutions": {
...
"**/socket.io": "4.5.2",
"**/socket.io-parser": "4.2.1",
...
}
I'm experiencing the same problem
Any timeline on getting this PR merged?
+1, waiting for the patch version...
+1, waiting for the patch version...
+1, we are also waiting for the patch version...
+1, waiting for the patch version...