Socket: >> Socket.io-Parser >> 3.1.1 Security Vulnerabilities
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.
CVSS Score
8.7
EPSS Score
0.001
Published
2026-03-20
Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
CVSS Score
10.0
EPSS Score
0.013
Published
2022-10-26
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
CVSS Score
7.5
EPSS Score
0.005
Published
2021-01-08