fix: the socket in socket.ts#5494
Conversation
Automated security fix generated by Orbis Security AI
|
Thanks for your report 👍 However, I think this can already be handled with the existing middleware mechanism, where users can enforce whatever policy fits their deployment: IP-based limits, connection-rate throttling, maximum concurrent handshakes, allow/deny lists, integration with Redis/shared counters, etc. Reference: https://socket.io/docs/v4/middlewares/ Because these requirements vary significantly between deployments and infrastructure setups, adding another built-in Socket.IO/Engine.IO option would duplicate functionality that middleware already provides and would likely be too opinionated. Users who need this protection can plug in a middleware-based rate limiter or connection limiter at the handshake/request layer. Thanks. |
|
Thanks for the clear explanation. That makes sense. This is better handled as a deployment policy through middleware rather than as a built-in Engine.IO option, especially for multi-node deployments where a local counter would not be sufficient. |
2 participants
Summary
Fix high severity security issue in
packages/engine.io/lib/socket.ts.Vulnerability
V-007packages/engine.io/lib/socket.ts:1Description: The Socket.IO server accepts incoming connections without any rate limiting or connection throttling. There is no IP-based connection limit, no per-second connection rate cap, and no maximum concurrent connection enforcement. An attacker with a basic script can open thousands of simultaneous connections, each consuming server memory, file descriptors, and CPU for WebSocket handshake processing, until the server becomes unresponsive to legitimate users.
Changes
packages/engine.io/lib/server.tsVerification
Automated security fix by OrbisAI Security