CVE-2016-10536
low-risk
Published 2018-05-31
engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that node.js handles the `rejectUnauthorized` setting. If the value is something that evaluates to false, certificate verification will be disabled. This is problematic as engine.io-client 1.6.8 and earlier passes in an object for settings that includes the rejectUnauthorized property, whether it has been set or not. If the value has not been explicitly changed, it will be passed in as `null`, resulting in certificate verification being turned off.
Do I need to act?
-
0.22% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (1)
Engine.Io-Client
Affected Vendors
References (6)
Third Party Advisory
https://nodesecurity.io/advisories/99
Third Party Advisory
https://www.cigital.com/blog/node-js-socket-io/
Third Party Advisory
https://nodesecurity.io/advisories/99
Third Party Advisory
https://www.cigital.com/blog/node-js-socket-io/
24
/ 100
low-risk
Severity
18/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal