N/A

engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that node.js handles the `rejectUnauthorized` setting. If the value is something that evaluates to false, certificate verification will be disabled. This is problematic as engine.io-client 1.6.8 and earlier passes in an object for settings that includes the rejectUnauthorized property, whether it has been set or not. If the value has not been explicitly changed, it will be passed in as `null`, resulting in certificate verification being turned off.

N/A

通道可被非端点访问(中间人攻击)

engine.io-client 安全漏洞

engine.io-client是一个跨浏览器、跨设备的、基于传输的实时应用程序框架。 engine.io-client 1.6.8及之前版本中存在安全漏洞，该漏洞源于在默认情况下程序没有验证证书。攻击者可利用该漏洞实施中间人攻击。

N/A

N/A