CVE-2026-33151 - Vulnerability Details

- socket.io allows an unbounded number of binary attachments

Description

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.

Published: 2026-03-20

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A specially crafted packet to the Socket.IO framework can force the server to wait for a large number of binary attachments and buffer them. The result is an out‑of‑memory condition that stops the server from processing new requests and effectively brings the service offline. This weakness is a classic memory exhaustion flaw and falls under CWE‑770. The impact is a denial of service, compromising availability rather than confidentiality or integrity.

Affected Systems

Socket.IO, versions prior to 3.3.5, 3.4.4, and 4.2.6, regardless of the underlying Node.js runtime. The affected component is the Socket.IO parser module, which accepts client packets over WebSocket or HTTP.

Risk and Exploitability

The issue carries a high severity CVSS score of 8.7. Its exploit probability is low (EPSS < 1%) and it is not listed in the CISA KEV catalog. The vulnerability is remotely accessible; an attacker only needs send a malicious packet over an open Socket.IO connection, without authentication. If exploited, the server would exhaust its memory pool, leading to a service crash or refusal to accept further requests.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

socketio

socket.io

affected

Version	Status	Constraints
`< 3.3.5`	affected	—
`>= 3.4.0, < 3.4.4`	affected	—
`>= 4.0.0, < 4.2.6`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:socket:socket.io-parser::::::node.js::*
	cpe:2.3:a:socket:socket.io-parser::::::node.js::*
	cpe:2.3:a:socket:socket.io-parser::::::node.js::*

No data.

Vendor Product Confidence Versions

Socket

Socket.io

94%

Version	Status	Scheme	Platform
`[0,3.3.5)`	affected	semver	—
`[3.4.0,3.4.4)`	affected	semver	—
`[4.0.0,4.2.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Socket.IO to version 3.3.5, 3.4.4, or 4.2.6 or later.

Generated by OpenCVE AI on April 14, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-677m-j7p3-52f9	socket.io allows an unbounded number of binary attachments

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00172.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4
https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf
https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78
https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9
https://nvd.nist.gov/vuln/detail/CVE-2026-33151
https://www.cve.org/CVERecord?id=CVE-2026-33151

History

Tue, 14 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Socket socket.io-parser
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:socket:socket.io-parser::::::node.js::*
Vendors & Products		Socket socket.io-parser
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 23 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
References		https://nvd.nist.gov/vuln/detail/CVE-2026-33151 https://www.cve.org/CVERecord?id=CVE-2026-33151
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}` threat_severity `Moderate`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Socket Socket socket.io
Vendors & Products		Socket Socket socket.io

Fri, 20 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.
Title		socket.io allows an unbounded number of binary attachments
Weaknesses		CWE-20 CWE-754
References		https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4 https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78 https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Socket Socket.io Socket.io-parser

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-20T20:13:31.424Z

Updated: 2026-03-23T16:50:16.998Z

Reserved: 2026-03-17T21:17:08.885Z

Link: CVE-2026-33151

Vulnrichment

Updated: 2026-03-23T16:50:13.767Z

NVD

Status : Analyzed

Published: 2026-03-20T21:17:15.573

Modified: 2026-04-14T18:22:20.150

Link: CVE-2026-33151

Redhat

Severity : Moderate

Publid Date: 2026-03-20T20:13:31Z

Links: CVE-2026-33151 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object