socket.io-parser
Moderate fix3 remedies
cpe:2.3:a:socket:socket.io-parser:*:*:*:*:node.js:*:*
Moderate fix3 remedies
- < 3.3.5
- >= 3.4.0, < 3.4.4
- >= 4.0.0, < 4.2.6
Socket.IO Memory Exhaustion Vulnerability via Unbounded Binary Attachments
Vulnerability
Patched
A denial-of-service vulnerability has been identified in Socket.IO, a real-time communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, the built-in parser allowed an unbounded number of binary attachments in packets. This could be exploited to make the server buffer a large number of binary elements, leading to excessive memory consumption and potential exhaustion of server resources. The issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.
Impact
Exploitation of this vulnerability can cause the server to run out of memory, leading to a denial-of-service condition.
Reproduction
The vulnerability can be reproduced by sending a Socket.IO packet with a large number of binary attachments. The built-in parser will accept and buffer these attachments, which can be done repeatedly until the server exhausts its memory resources.
Remediation
Users can upgrade to Socket.IO versions 3.3.5, 3.4.4, or 4.2.6 to address this vulnerability.
Added: Mar 20, 2026, 9:24 PM
Updated: Mar 20, 2026, 9:24 PM
Vulnerability Rating
Custom Algorithm
spread
6.2impact
2.5exploitability
9.1remediation
7.7relevance
4.2threat
4.8urgency
2.9incentive
8.3Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.