Remove the vulnerability CVE-2020-36048 from engine.io use in socket.io?

Open KristinaPlusPlus opened this issue 4 years ago • 0 comments

Version:
Electron.NET CLI 13.5.1

Dotnet core 5.0
Node 14

Target:
osx64
win64

Issue:

The electron host relies on socket.io which uses engine.io and although a custom package file could be passed, the code seems to fail when socket.io 3.x and 4.x used. However, using socket.io 2.x is a security vulnerability as it using engine.io ~3.5.0 which exposes vulnerability CVE-2020-36048. There has been an issue placed against socket.io (https://github.com/socketio/socket.io/issues/4047) but it seems it will only be resolved in socket.io 3.x and later.

Dec 20 '21 20:12 KristinaPlusPlus