GMS-2016-31: Insecure Defaults Allow MITM Over TLS

April 26, 2016

There’s a flaw in the way that node.js handles the rejectUnauthorized setting. If the value is something that evaluates to false, certificate verification will be disabled. This is problematic as engine.io-client passes in an object for settings that includes the rejectUnauthorized property, whether it has been set or not. If the value has not been explicitly changed, it will be passed in as null, resulting in certificate verification being turned off.

References

github.com/socketio/engine.io-client/commit/2c55b278a491bf45313ecc0825cf800e2f7ff5c1
www.cigital.com/blog/node-js-socket-io/

Code Behaviors & Features

Detect and mitigate GMS-2016-31 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →