GHSA-677m-j7p3-52f9

Source

https://github.com/advisories/GHSA-677m-j7p3-52f9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-677m-j7p3-52f9/GHSA-677m-j7p3-52f9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-677m-j7p3-52f9

Aliases

CVE-2026-33151

Published

2026-03-18T17:26:14Z

Modified

2026-03-18T17:35:57.422885Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

socket.io allows an unbounded number of binary attachments

Details

Impact

A specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory.

Patches

| Version range | Used by | Fixed version | |------------------|--------------------------------------------|---------------| | >=4.0.0 <4.2.6 | socket.io@4.x and socket.io-client@4.x | 4.2.6 | | >=3.4.0 <3.4.4 | socket.io@2.x | 3.4.4 | | <3.3.5 | socket.io-client@2.x | 3.3.5 |

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Database specific

{
    "cwe_ids": [
        "CWE-754"
    ],
    "github_reviewed": true,
    "nvd_published_at": null,
    "severity": "HIGH",
    "github_reviewed_at": "2026-03-18T17:26:14Z"
}

References

Affected packages

npm / socket.io-parser

Package

Name: socket.io-parser; View open source insights on deps.dev
Purl: pkg:npm/socket.io-parser

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-677m-j7p3-52f9/GHSA-677m-j7p3-52f9.json"

npm / socket.io-parser

Package

Name: socket.io-parser; View open source insights on deps.dev
Purl: pkg:npm/socket.io-parser

Affected ranges

Type: SEMVER
Events: Introduced

3.4.0

Fixed

3.4.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-677m-j7p3-52f9/GHSA-677m-j7p3-52f9.json"

npm / socket.io-parser

Package

Name: socket.io-parser; View open source insights on deps.dev
Purl: pkg:npm/socket.io-parser

Affected ranges

Type: SEMVER
Events: Introduced

4.0.0

Fixed

4.2.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-677m-j7p3-52f9/GHSA-677m-j7p3-52f9.json"