Detections
Analytics

CVE-2026-33151

high

Description

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.

References

https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9

https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78

https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf

https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4

Details

Source: Mitre, NVD

Published: 2026-03-20

Updated: 2026-03-20

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00085