npm package
socket.io-parser
pkg:npm/socket.io-parser
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33151 | Hig | 7.5 | < 3.3.5 | 3.3.5 | Mar 20, 2026 | Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited t | |
| CVE-2023-32695 | — | >= 4.0.4, < 4.2.3 | 4.2.3 | May 27, 2023 | socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in | ||
| CVE-2022-2421 | — | >= 4.0.0, < 4.0.5 | 4.0.5 | Oct 25, 2022 | Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object. | ||
| CVE-2020-36049 | — | < 3.3.2 | 3.3.2 | Jan 7, 2021 | socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used. |
- affected < 3.3.5fixed 3.3.5
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited t
- CVE-2023-32695May 27, 2023affected >= 4.0.4, < 4.2.3fixed 4.2.3
socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in
- CVE-2022-2421Oct 25, 2022affected >= 4.0.0, < 4.0.5fixed 4.0.5
Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
- CVE-2020-36049Jan 7, 2021affected < 3.3.2fixed 3.3.2
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.