Remove the vulnerability CVE-2020-36048 from engine.io use in socket.io? #742

New Issue

Open

opened 2026-01-29 16:47:25 +00:00 by claunia · 0 comments

claunia commented 2026-01-29 16:47:25 +00:00

Owner

Copy Link

Originally created by @KristinaPlusPlus on GitHub (Dec 20, 2021).

Originally assigned to: @GregorBiswanger on GitHub.

• Version:
• Electron.NET CLI 13.5.1

• Dotnet core 5.0
• Node 14

• Target:
• osx64
• win64

Issue:

The electron host relies on socket.io which uses engine.io and although a custom package file could be passed, the code seems to fail when socket.io 3.x and 4.x used. However, using socket.io 2.x is a security vulnerability as it using engine.io ~3.5.0 which exposes vulnerability CVE-2020-36048. There has been an issue placed against socket.io (https://github.com/socketio/socket.io/issues/4047) but it seems it will only be resolved in socket.io 3.x and later.

Originally created by @KristinaPlusPlus on GitHub (Dec 20, 2021). Originally assigned to: @GregorBiswanger on GitHub. <!-- Please search existing issues to avoid creating duplicates. --> <!-- Which version of Electron.NET CLI and API are you using? --> <!-- Please always try to use latest version before report. --> * **Version**: * Electron.NET CLI 13.5.1 <!-- Which version of .NET Core and Node.js are you using (if applicable)? --> * Dotnet core 5.0 * Node 14 <!-- What target are you building for? --> * **Target**: * osx64 * win64 <!-- Enter your issue details below this comment. --> <!-- If you want, you can donate to increase issue priority (https://donorbox.org/electron-net) --> Issue: The electron host relies on socket.io which uses engine.io and although a custom package file could be passed, the code seems to fail when socket.io 3.x and 4.x used. However, using socket.io 2.x is a security vulnerability as it using engine.io ~3.5.0 which exposes vulnerability CVE-2020-36048. There has been an issue placed against socket.io (https://github.com/socketio/socket.io/issues/4047) but it seems it will only be resolved in socket.io 3.x and later.

claunia added the bug label 2026-01-29 16:47:25 +00:00

claunia referenced this issue 2026-01-29 16:59:11 +00:00

[PR #742] Bump minimist from 1.2.5 to 1.2.8 in /ElectronNET.WebApp/ElectronHostHook #1275

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

develop

feature/secure-connection

dependabot/npm_and_yarn/src/ElectronNET.WebApp/ElectronHostHook/lodash-4.17.23

dependabot/npm_and_yarn/src/ElectronNET.Host/lodash-4.17.23

legacy/build-system-update

legacy/main

0.4.1-pre.26

0.4.0

0.4.0-pre.18

0.3.1

0.3.0

0.3.0-pre.5

0.3.0-pre.1

0.3.0-pre.336

0.3.0-pre.331

0.2.0-pre.240

0.2.0-pre.228

0.2.0-pre.200

0.1.0-pre.198

0.1.0

0.1.0-pre.184

0.1.0-pre.180

0.1.0-pre.173

0.1.0-pre.163

0.1.0-pre.156

0.1.0-pre.149

0.1.0-pre.139

0.1.0-pre.135

0.1.0-pre.133

0.0.18-pre.123

23.6.2-alpha.71

23.6.2

23.6.2-alpha.14

23.6.1

13.5.1

11.5.1

9.31.2

9.31.1

8.31.2

8.31.1

7.30.2

5.30.1

5.22.14

5.22.13

0.0.11

0.0.10

0.0.9

v0.0.7

Labels

Clear labels

api

api

applications

bug

bug

dev-experience

discussion

documentation

duplicate

enhancement

examples

Feature

Feature

good first issue

help wanted

In progress

information

infrastructure

invalid

javascript

macos

more-information-needed

pull-request

Mirrored from GitHub Pull Request

question

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/Electron.NET#742