CVE-2026-33151
HIGH
8,7
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
Description
AI Translation Available
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.
20
Improper Input Validation
StableCommon Consequences
Security Scopes Affected:
Availability
Confidentiality
Integrity
Potential Impacts:
Dos: Crash, Exit, Or Restart
Dos: Resource Consumption (Cpu)
Dos: Resource Consumption (Memory)
Read Memory
Read Files Or Directories
Modify Memory
Execute Unauthorized Code Or Commands
Applicable Platforms
All platforms may be affected
754
Improper Check for Unusual or Exceptional Conditions
IncompleteCommon Consequences
Security Scopes Affected:
Integrity
Availability
Potential Impacts:
Dos: Crash, Exit, Or Restart
Unexpected State
Applicable Platforms
All platforms may be affected
https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1…
https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc0…
https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0…
https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9