CVE-2026-33151

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4	Patch
https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf	Patch
https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78	Patch
https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:socket:socket.io-parser::::::node.js::*
	cpe:2.3:a:socket:socket.io-parser::::::node.js::*
	cpe:2.3:a:socket:socket.io-parser::::::node.js::*

History

14 Apr 2026, 18:22

Type	Values Removed	Values Added
References	~~() https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4 -~~	() https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4 - Patch
References	~~() https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf -~~	() https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf - Patch
References	~~() https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78 -~~	() https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78 - Patch
References	~~() https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9 -~~	() https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9 - Patch, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:socket:socket.io-parser::::::node.js::*
Summary		(es) Socket.IO es un framework de comunicación de código abierto, en tiempo real, bidireccional y basado en eventos. Antes de las versiones 3.3.5, 3.4.4 y 4.2.6, un paquete de Socket.IO especialmente diseñado puede hacer que el servidor espere un gran número de adjuntos binarios y los almacene en búfer, lo cual puede ser explotado para agotar la memoria del servidor. Este problema ha sido parcheado en las versiones 3.3.5, 3.4.4 y 4.2.6.
CWE		NVD-CWE-noinfo
First Time		Socket socket.io-parser Socket

20 Mar 2026, 21:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 21:17

Updated : 2026-04-14 18:22

NVD link : CVE-2026-33151

Mitre link : CVE-2026-33151

CVE.ORG link : CVE-2026-33151

JSON object : View

Products Affected

socket

socket.io-parser

CWE

CWE-20

Improper Input Validation

CWE-754

Improper Check for Unusual or Exceptional Conditions

NVD-CWE-noinfo

7.5 /10