engine.io
Advanced tools
Changelog
6.1.1 (2022-01-11)
:warning: This release contains an important security fix :warning:
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14) at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22) at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10) at writeOrBuffer (internal/streams/writable.js:358:12)
This bug was introduced by this commit, included in engine.io@4.0.0, so previous releases are not impacted.
Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.
Bug Fixes
- properly handle invalid data sent by a malicious websocket client (c0e194d)
Changelog
6.0.0 (2021-10-08)
The codebase was migrated to TypeScript (c0d6eaa)
An ES module wrapper was also added (401f4b6).
Please note that the communication protocol was not updated, so a v5 client will be able to reach a v6 server (and vice-versa).
Reference: https://github.com/socketio/engine.io-protocol
BREAKING CHANGES
- the default export was removed, so the following code won't work anymore:
const eioServer = require("engine.io")(httpServer);
Please use this instead:
const { Server } = require("engine.io");
const eioServer = new Server(httpServer);
Dependencies
ws version: ~8.2.3 (bumped from ~7.4.2)