karma
karma copied to clipboard
karma-runner
Critical vulnerability: Insufficient validation when decoding a Socket.IO packet
Hello,
We are currently facing a critical vulnerability in our project that depends on karma. https://github.com/advisories/GHSA-qm95-pgcg-qqfq
Steps to reproduce:
npm install
npm audit
Console message:
├─ socket.io-parser: 4.0.4
│ ├─ Issue: Insufficient validation when decoding a Socket.IO packet
│ ├─ URL: https://github.com/advisories/GHSA-qm95-pgcg-qqfq
│ ├─ Severity: critical
│ ├─ Vulnerable Versions:
│ ├─ Patched Versions: >=4.0.5
│ ├─ Via: karma, karma-htmlfile-reporter, karma-jasmine-html-reporter
│ └─ Recommendation: Upgrade to version 4.0.5 or later
Thank you in advance.
I've tried updating my Karma stack to 6.4.1 but a few of my Karma suites are halting/failing to complete. When I view in the browser, I see pending localhost/socket-io requests that never complete, they just restart after 30 seconds. Feels awfully related to either this dependency or socket.io-parser.
I've tried updating my Karma stack to
6.4.1but a few of my Karma suites are halting/failing to complete. When I view in the browser, I seependinglocalhost/socket-io requests that never complete, they just restart after 30 seconds. Feels awfully related to either this dependency orsocket.io-parser.
6.4.1 is using the vulnerable socket.io
i made a PR bumping it and waiting on it to get reviewed.
#3825
I tried adding these two resolutions along with 6.4.1 but ran into the same problem.
"resolutions": {
...
"**/socket.io": "4.5.2",
"**/socket.io-parser": "4.2.1",
...
}
