VYPR

npm package

socket.io-parser

pkg:npm/socket.io-parser

Vulnerabilities (4)

  • CVE-2026-33151HigMar 20, 2026
    affected < 3.3.5fixed 3.3.5

    Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited t

  • CVE-2023-32695May 27, 2023
    affected >= 4.0.4, < 4.2.3fixed 4.2.3

    socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in

  • CVE-2022-2421Oct 25, 2022
    affected >= 4.0.0, < 4.0.5fixed 4.0.5

    Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

  • CVE-2020-36049Jan 7, 2021
    affected < 3.3.2fixed 3.3.2

    socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.