starred/Electron.NET
1
0
Fork 0
mirror of https://github.com/ElectronNET/Electron.NET.git synced 2026-02-03 21:25:13 +00:00
Code Issues 668 Packages Projects Releases 20 Wiki Activity

Remove the vulnerability CVE-2020-36048 from engine.io use in socket.io? #745

New Issue
Closed
opened 2026-01-29 16:47:28 +00:00 by claunia · 1 comment
claunia commented 2026-01-29 16:47:28 +00:00
Owner
Copy Link

Originally created by @KristinaPlusPlus on GitHub (Dec 20, 2021).

Originally assigned to: @GregorBiswanger on GitHub.

  • Version:
  • Electron.NET CLI 13.5.1
  • Dotnet core 5.0
  • Node 14
  • Target:
  • osx64
  • win64

Issue:

The electron host relies on socket.io which uses engine.io and although a custom package file could be passed, the code seems to fail when socket.io 3.x and 4.x used. However, using socket.io 2.x is a security vulnerability as it using engine.io ~3.5.0 which exposes vulnerability CVE-2020-36048. There has been an issue placed against socket.io (https://github.com/socketio/socket.io/issues/4047) but it seems it will only be resolved in socket.io 3.x and later.

Originally created by @KristinaPlusPlus on GitHub (Dec 20, 2021). Originally assigned to: @GregorBiswanger on GitHub. <!-- Please search existing issues to avoid creating duplicates. --> <!-- Which version of Electron.NET CLI and API are you using? --> <!-- Please always try to use latest version before report. --> * **Version**: * Electron.NET CLI 13.5.1 <!-- Which version of .NET Core and Node.js are you using (if applicable)? --> * Dotnet core 5.0 * Node 14 <!-- What target are you building for? --> * **Target**: * osx64 * win64 <!-- Enter your issue details below this comment. --> <!-- If you want, you can donate to increase issue priority (https://donorbox.org/electron-net) --> Issue: The electron host relies on socket.io which uses engine.io and although a custom package file could be passed, the code seems to fail when socket.io 3.x and 4.x used. However, using socket.io 2.x is a security vulnerability as it using engine.io ~3.5.0 which exposes vulnerability CVE-2020-36048. There has been an issue placed against socket.io (https://github.com/socketio/socket.io/issues/4047) but it seems it will only be resolved in socket.io 3.x and later.
claunia added the bug label 2026-01-29 16:47:28 +00:00
claunia commented 2026-01-29 16:47:29 +00:00
Author
Owner
Copy Link

@GregorBiswanger commented on GitHub (Mar 28, 2023):

🎉🚀 New Electron.NET version 23.6.1 released 🚀🎉

With native Electron 23 and .NET 6 support. Your problem should be fixed here. If you continue to have the problem, please let us know. Please note the correct updating of your API & CLI. Info in the README. Have fun!

@GregorBiswanger commented on GitHub (Mar 28, 2023): 🎉🚀 New Electron.NET version 23.6.1 released 🚀🎉 With native Electron 23 and .NET 6 support. Your problem should be fixed here. If you continue to have the problem, please let us know. Please note the correct updating of your API & CLI. Info in the README. Have fun!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
api
applications
bug
bug
dev-experience
discussion
documentation
duplicate
enhancement
examples
Feature
Feature
good first issue
help wanted
In progress
information
infrastructure
invalid
javascript
macos
more-information-needed
pull-request
Mirrored from GitHub Pull Request
 question
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/Electron.NET#745
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?