[Security] connectionStateRecovery skipMiddlewares bypasses auth on reconnect

[eddieran]

Summary

When connectionStateRecovery is enabled, skipMiddlewares defaults to true (packages/socket.io/lib/namespace.ts:346-354). Reconnecting clients bypass all auth middleware using the pid. Window: 2 min default.

Impact

Revoked users can reconnect and bypass authorization within the recovery window.

Fix

Default skipMiddlewares to false, or document the security implication.

[darrachequesne]

Hi, and thank you for the report.

This appears to involve a potential security vulnerability, so it should not have been opened as a public GitHub issue. Please follow our Security Policy next time and report security concerns privately through the responsible disclosure process described there. Thanks!

Regarding the issue itself, we have updated the documentation:

• https://socket.io/docs/v4/connection-state-recovery#skipmiddlewares-option
• https://socket.io/docs/v4/server-options/#connectionstaterecovery

Could you please check?