Skip to main content

Red Hat CVE-2026-33151

HIGH
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-03-18 https://github.com/socketio/socket.io GHSA-677m-j7p3-52f9
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 14, 2026 - 18:37 NVD
8.7 (HIGH)
Analysis Generated
Mar 18, 2026 - 17:30 vuln.today
Patch released
Mar 18, 2026 - 17:30 nvd
Patch available
CVE Published
Mar 18, 2026 - 17:26 nvd
HIGH

DescriptionGitHub Advisory

Impact

A specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory.

Patches

Version rangeUsed byFixed version
>=4.0.0 <4.2.6socket.io@4.x and socket.io-client@4.x4.2.6
>=3.4.0 <3.4.4socket.io@2.x3.4.4
<3.3.5socket.io-client@2.x3.3.5

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

AnalysisAI

A specially crafted Socket.IO packet can cause the server to allocate unbounded memory by waiting for and buffering a large number of binary attachments, leading to denial of service through memory exhaustion. The vulnerability affects socket.io-parser versions across multiple major releases (v2.x, v3.x, and v4.x) used by Socket.IO server and client implementations. No EPSS score or KEV listing is available, but patches have been released by the vendor.

Technical ContextAI

Socket.IO is a real-time bidirectional event-based communication library for JavaScript that works on top of WebSocket and HTTP long-polling. The vulnerability resides in socket.io-parser (CPE: pkg:npm/socket.io-parser), the component responsible for encoding and decoding Socket.IO packets. This is classified as CWE-754 (Improper Check for Unusual or Exceptional Conditions), meaning the parser fails to properly validate or limit the number of binary attachments declared in a packet. When a malicious packet claims to have an excessive number of attachments, the server allocates buffers and waits for all attachments to arrive, causing unbounded memory consumption without proper resource limits or validation.

RemediationAI

Upgrade socket.io-parser to a patched version immediately: version 4.2.6 or later for the 4.x series, version 3.4.4 or later for the 3.4.x series, or version 3.3.5 or later for older 3.x implementations. The vendor explicitly states there is no known workaround except upgrading to a safe version. Review the vendor security advisory at https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9 for complete upgrade guidance. Examine the patch commits at https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4, https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf, and https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78 to understand the fix implementation. Organizations unable to patch immediately should consider implementing network-level rate limiting and connection throttling as temporary mitigations, though these are not substitutes for patching.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2026-33151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy