Improper input validation in Socketio Socket.io
CVE-2026-33151
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments…
Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)
EPSS: 0.001 (16.4th percentile) — read the EPSS interpretation.
Affected products
- Socketio Socket.io — versions < 3.3.5, >= 3.4.0, < 3.4.4, >= 4.0.0, < 4.2.6
Weakness classification (CWE)
References
- https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9 (x_refsource_CONFIRM)
- https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4 (x_refsource_MISC)
- https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf (x_refsource_MISC)
- https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78 (x_refsource_MISC)