CVE-2017-16031
Insecure randomness in socket.io
7.5
HIGH
CVSS 3.1
EPSS 0.39%
Description
Affected versions of `socket.io` depend on `Math.random()` to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization. ## Recommendation Update to v0.9.7 or later.
How to fix CVE-2017-16031
To remediate CVE-2017-16031, upgrade the affected package to a fixed version below.
- —upgrade to 0.9.7 or later
Is CVE-2017-16031 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.9.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |