Home

Description

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.

PUBLISHED Reserved 2026-03-17 | Published 2026-03-20 | Updated 2026-03-23 | Assigner GitHub_M




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-20: Improper Input Validation

CWE-754: Improper Check for Unusual or Exceptional Conditions

Product status

< 3.3.5
affected

>= 3.4.0, < 3.4.4
affected

>= 4.0.0, < 4.2.6
affected

References

github.com/...ket.io/security/advisories/GHSA-677m-j7p3-52f9

github.com/...ommit/719f9ebab0772ffb882bd614b387e585c1aa75d4

github.com/...ommit/9d39f1f080510f036782f2177fac701cc041faaf

github.com/...ommit/b25738c416c4e32fbff62ee182afa8f6d0dacf78

cve.org (CVE-2026-33151)

nvd.nist.gov (CVE-2026-33151)

Download JSON