Releases · socketio/socket.io-parser
3.3.4
4.2.4
Bug Fixes
- ensure reserved events cannot be used as event names (d9db473)
- properly detect plain objects (b0e6400)
Links
- Diff: 4.2.3...4.2.4
4.2.3
⚠️ This release contains an important security fix ⚠️
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
TypeError: Cannot convert object to primitive value
at Socket.emit (node:events:507:25)
at .../node_modules/socket.io/lib/socket.js:531:14
Please upgrade as soon as possible.
Bug Fixes
- check the format of the event name (3b78117)
Links
- Diff: 4.2.2...4.2.3
3.4.3
⚠️ This release contains an important security fix ⚠️
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
TypeError: Cannot convert object to primitive value
at Socket.emit (node:events:507:25)
at .../node_modules/socket.io/lib/socket.js:531:14
Please upgrade as soon as possible.
Bug Fixes
- check the format of the event name (2dc3c92)
Links
- Diff: 3.4.2...3.4.3
4.2.2
Bug Fixes
- calling destroy() should clear all internal state (22c42e3)
- do not modify the input packet upon encoding (ae8dd88)
Links
- Diff: 4.2.1...4.2.2