CVE-2026-33151
HIGH
GHSA-677m-j7p3-52f9
Lifecycle Timeline
3Description
### Impact A specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. ### Patches | Version range | Used by | Fixed version | |------------------|--------------------------------------------|---------------| | `>=4.0.0 <4.2.6` | `[email protected]` and `[email protected]` | `4.2.6` | | `>=3.4.0 <3.4.4` | `[email protected]` | `3.4.4` | | `<3.3.5` | `[email protected]` | `3.3.5` | ### Workarounds There is no known workaround except upgrading to a safe version. ### For more information If you have any questions or comments about this advisory: - Open a discussion [here](https://github.com/socketio/socket.io/discussions)
Analysis
A specially crafted Socket.IO packet can cause the server to allocate unbounded memory by waiting for and buffering a large number of binary attachments, leading to denial of service through memory exhaustion. The vulnerability affects socket.io-parser versions across multiple major releases (v2.x, v3.x, and v4.x) used by Socket.IO server and client implementations. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems using Socket.IO v2.x, v3.x, or v4.x and assess exposure to untrusted network input. Within 7 days: Apply vendor patches to all affected Socket.IO instances and validate in staging environments. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today