CVE-2026-33151

Sažetak

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.

Reference

https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4
https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf
https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78
https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9

CVSS

Base:	7.5
Impact:	3.6
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	NONE	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Zadnje važnije ažuriranje

14-04-2026 - 18:22

Objavljeno

20-03-2026 - 21:17