7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16031

GHSA ID

GHSA-qv2v-m59f-v5fw

EPSS Score

0.60273%

CWE

CWE-330

Published

11/7/2018

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16031

CVE-2017-16031:
Insecure randomness in socket.io

Affected versions of socket.io depend on Math.random() to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization.

Recommendation

Update to v0.9.7 or later.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16031

GHSA ID

GHSA-qv2v-m59f-v5fw

EPSS Score

0.60273%

CWE

CWE-330

Published

11/7/2018

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
socket.io	npm	<= 0.9.6	0.9.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the insecure use of Math.random() in the ID generation process. The commit 67b4eb9 explicitly replaces Math.random() with crypto.randomBytes in Manager.prototype.generateId, confirming this was the vulnerable function. The CWE-330 classification and advisory descriptions directly match this pattern of insufficient randomness in cryptographic identifiers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `so*k*t.io` **p*n* on `M*t*.r*n*om()` to *r**t* so*k*t I*s, *n* t**r**or* t** I*s *r* pr**i*t**l*. Wit* *nou** in*orm*tion on prior I*s, *n *tt**k*r m*y ** **l* to *u*ss t** so*k*t I* *n* **in ****ss to so*k*t.io s*rv*rs wit*out

Reasoning

T** vuln*r**ility st*ms *rom t** ins**ur* us* o* M*t*.r*n*om() in t** I* **n*r*tion pro**ss. T** *ommit ******* *xpli*itly r*pl***s M*t*.r*n*om() wit* *rypto.r*n*om*yt*s in M*n***r.prototyp*.**n*r*t*I*, *on*irmin* t*is w*s t** vuln*r**l* *un*tion. T*

7.5

Basic Information

Concerned about an active attack path?

CVE-2017-16031: Insecure randomness in socket.io

Recommendation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2017-16031:
Insecure randomness in socket.io

Vulnerability Intelligence
Miggo AI