What is CVE-2016-10536?

CVE-2016-10536 is a vulnerability in engine.io-client that allows man-in-the-middle attacks due to the lack of certificate verification.

How does CVE-2016-10536 impact engine.io-client?

CVE-2016-10536 allows attackers to perform man-in-the-middle attacks by bypassing certificate verification in engine.io-client.

What is the severity of CVE-2016-10536?

CVE-2016-10536 has a severity value of 5.9, which is considered medium.

How can I fix CVE-2016-10536 in engine.io-client?

To fix CVE-2016-10536 in engine.io-client, upgrade to version 1.6.9 or later.

What is the Common Weakness Enumeration (CWE) for CVE-2016-10536?

The CWE for CVE-2016-10536 is CWE-300 (Channel Accessible by Non-Endpoint), and CWE-295 (Improper Certificate Validation).

Vulnerability/
CVE-2016-10536

medium

5.9

CWE

295 300

31/5/2018

18/2/2019

17/9/2024

CVE-2016-10536

First published: Thu May 31 2018(Updated: )

Affected versions of `engine.io-client` do not verify certificates by default, and as such may be vulnerable to Man-in-the-Middle attacks. The vulnerability is related to the way that node.js handles the `rejectUnauthorized` setting. If the value is something that evaluates to false, such as undefined or null, certificate verification will be disabled. ## Recommendation Update to version 1.6.9 or later. If you are unable to upgrade, ensure all calls to socket.io to have a `rejectedUnauthorized: true` flag.

Credit: support@hackerone.com support@hackerone.com

Affected Software	Affected Version	How to fix
Socket Engine.io-client	<=1.6.8

Remedy

https://github.com/socketio/engine.io-client/commit/2c55b278a491bf45313ecc0825cf800e2f7ff5c1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2016-10536?
CVE-2016-10536 is a vulnerability in engine.io-client that allows man-in-the-middle attacks due to the lack of certificate verification.
How does CVE-2016-10536 impact engine.io-client?
CVE-2016-10536 allows attackers to perform man-in-the-middle attacks by bypassing certificate verification in engine.io-client.
What is the severity of CVE-2016-10536?
CVE-2016-10536 has a severity value of 5.9, which is considered medium.
How can I fix CVE-2016-10536 in engine.io-client?
To fix CVE-2016-10536 in engine.io-client, upgrade to version 1.6.9 or later.
What is the Common Weakness Enumeration (CWE) for CVE-2016-10536?
The CWE for CVE-2016-10536 is CWE-300 (Channel Accessible by Non-Endpoint), and CWE-295 (Improper Certificate Validation).

collector/github-advisory-latest
alias/GHSA-4r4m-hjwj-43p8
alias/CVE-2016-10536
collector/nvd-index
collector/nvd-cve
agent/author
agent/type
agent/event
agent/remedy
agent/first-publish-date
agent/tags
agent/severity
agent/weakness
agent/last-modified-date
agent/references
agent/softwarecombine
agent/description
collector/mitre-cve
source/MITRE
package-manager/npm
vendor/socket
canonical/socket engine.io-client
version/socket engine.io-client/1.6.8

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.