socketio-unity is a client-side Unity package. It contains no server code in the shipped artifact. The trust boundary sits between server-supplied data and the client's internal state — the library's job is to parse untrusted server input defensively and never enforce server-side authorization (that is the server's responsibility). See Documentation~/permissions.md for the full auth/trust model.
Security fixes are applied to the latest 1.x release. Older minor versions are not back-patched.
| Version | Supported |
|---|---|
| 1.6.x | ✅ |
| < 1.6 | ❌ (upgrade) |
Please report suspected vulnerabilities privately — do not open a public issue for an unfixed security problem.
- Use GitHub's private vulnerability reporting (Security → Report a vulnerability), or
- Email the maintainer (see the GitHub profile for @Magithar).
Include the Unity version, target platform (Editor / Standalone / WebGL / mobile), a minimal reproduction, and the impact you observed. Expect an acknowledgement within a reasonable window; fixes ship in a patch or minor release with credit in the CHANGELOG unless you prefer to remain anonymous.
- Transport encryption is the developer's responsibility. Auth payloads passed to
Of("/ns", authObject)are sent in plaintext in the Socket.IO CONNECT packet. Always usewss://in production when auth carries session tokens or identity data. See Documentation~/GETTING_STARTED.md. - Server-input hardening. A full static security audit was performed on 2026-06-27. The two medium findings it surfaced — a binary-placeholder null-dereference and fragile WebGL text-message routing — were fixed in v1.6.0. The audit's positive findings (consistent null-returning parser, main-thread dispatcher isolation, ACK overflow handling, no
TypeNameHandlingin deserialization) remain in place.
- A malicious or compromised server you connect to. Validate server-sent gameplay data in your own code.
- Unbounded action queues from a pathological server (the main-thread dispatcher queue is unbounded by design).
- Man-in-the-middle on unencrypted
ws://. Usewss://.