CVE-2026-33151

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.

CVSS

No CVSS.

References

Link	Resource
https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4
https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf
https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78
https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-20 21:17

Updated : 2026-03-23 14:32

NVD link : CVE-2026-33151

Mitre link : CVE-2026-33151

CVE.ORG link : CVE-2026-33151

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

CWE-754

Improper Check for Unusual or Exceptional Conditions

{"id": "CVE-2026-33151", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T21:17:15.573", "references": [{"url": "https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4", "source": "security-advisories@github.com"}, {"url": "https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf", "source": "security-advisories@github.com"}, {"url": "https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78", "source": "security-advisories@github.com"}, {"url": "https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-754"}]}], "descriptions": [{"lang": "en", "value": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6."}, {"lang": "es", "value": "Socket.IO es un framework de comunicaci\u00f3n de c\u00f3digo abierto, en tiempo real, bidireccional y basado en eventos. Antes de las versiones 3.3.5, 3.4.4 y 4.2.6, un paquete de Socket.IO especialmente dise\u00f1ado puede hacer que el servidor espere un gran n\u00famero de adjuntos binarios y los almacene en b\u00fafer, lo cual puede ser explotado para agotar la memoria del servidor. Este problema ha sido parcheado en las versiones 3.3.5, 3.4.4 y 4.2.6."}], "lastModified": "2026-03-23T14:32:02.800", "sourceIdentifier": "security-advisories@github.com"}