Node Security Project advisory against ms package <=0.7.0

[deansheather]

The ms package which is included as a dependency 4 times when installing socket.io through the npm install socket.io command has been found to have a ReDoS vulnerability.

The advisory can be found at Node Security Project. The advisory page contains proof of concept, results for the tests and methods to remediate this issue.

As you can see on the advisory page, to fix this vulnerability we would need to upgrade the dependencies for socket.io to use ms version 0.7.1 or greater OR limit the length of the input before passing it into ms.

I became aware of this issue after executing the nsp check command:

$ nsp check
(+) 4 vulnerabilities found
┌───────────────┬───────────────────────────────────────────────────────────────────────────────────────────────┐
│               │ Regular Expression Denial of Service                                                          │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Name          │ ms                                                                                            │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Installed     │ 0.6.2                                                                                         │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable    │ <=0.7.0                                                                                       │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched       │ >0.7.0                                                                                        │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Path          │ socket.io > debug > ms                                                                        │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/46                                                         │
└───────────────┴───────────────────────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬───────────────────────────────────────────────────────────────────────────────────────────────┐
│               │ Regular Expression Denial of Service                                                          │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Name          │ ms                                                                                            │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Installed     │ 0.6.2                                                                                         │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable    │ <=0.7.0                                                                                       │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched       │ >0.7.0                                                                                        │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Path          │ socket.io > engine.io > debug > ms                                                            │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/46                                                         │
└───────────────┴───────────────────────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬───────────────────────────────────────────────────────────────────────────────────────────────┐
│               │ Regular Expression Denial of Service                                                          │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Name          │ ms                                                                                            │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Installed     │ 0.6.2                                                                                         │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable    │ <=0.7.0                                                                                       │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched       │ >0.7.0                                                                                        │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Path          │ socket.io > socket.io-client > engine.io-client > debug > ms                                  │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/46                                                         │
└───────────────┴───────────────────────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬───────────────────────────────────────────────────────────────────────────────────────────────┐
│               │ Regular Expression Denial of Service                                                          │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Name          │ ms                                                                                            │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Installed     │ 0.6.2                                                                                         │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable    │ <=0.7.0                                                                                       │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched       │ >0.7.0                                                                                        │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Path          │ socket.io > socket.io-adapter > debug > ms                                                    │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/46                                                         │
└───────────────┴───────────────────────────────────────────────────────────────────────────────────────────────┘

You can confirm that socket.io is using ms version 0.6.2 by typing npm ls in your project directory.

[darrachequesne]

Hi! I think an issue has already been opened on this matter, and the package debug bumped consequently:

• https://github.com/socketio/socket.io/blob/master/package.json#L29
• https://github.com/socketio/engine.io/blob/master/package.json#L29
• https://github.com/socketio/engine.io-client/blob/master/package.json#L32
• https://github.com/socketio/socket.io-adapter/blob/master/package.json#L11

Thanks for the report!

Note: socket.io and socket.io-adapter will soon be released with that change included

[BeneStem]

+1

[deansheather]

Sorry about that then, I had a quick look through and a search and I didn't see anything about it...

[BeneStem]

My +1 was ment for your post.
I didnt find any other than yours myself.
Dont be sorry, it's an important security fix!

On 02.12.2015, at 05:00, Dean Sheather [email protected] wrote:

Sorry about that then, I had a quick look through and a search and I didn't see anything about it...

—
Reply to this email directly or view it on GitHub.

[reedloden]

Any ETA for when a new release will be made with the fix?

[OmgImAlexis]

This has been updated but the version for socket.io itself hasn't been bumped and it hasn't been pushed to npm yet.

On npm 1.3.7 still contains the old version of debug.

[bryce-larson]

+1

[mikermcneil]

@rauchg would you guys be able to do a patch release with engine.io and socket.io-client dependencies bumped to address https://snyk.io/test/npm/socket.io? It looks like https://snyk.io/test/npm/socket.io-client would need its deps bumped and to be published first, as well. Thanks man, and keep up the great work as always!

[rauchg]

Just released engine.io, working on the socket.io release @mikermcneil

[rauchg]

1.4.0 out

[mikermcneil]

@rauchg thanks!

[mikermcneil]

@deansheather btw this hasn't updated on snyk yet, but I double checked the package.json files in question and I believe that resolves this issue. Thanks for the detailed analysis!

[deansheather]

No problem at all @mikermcneil! Could someone please close this issue now that this problem has been solved?