Socket.IO — CVE history (npm)
Socket.IO
4 CVEs affect the Socket.IO npm package (highest CVSS 7.5). Latest disclosed: 2026-03-20. Full CVE history sourced from NVD.
Summary
- Package
Socket.IO(npm)- Total CVEs
4- Actively exploited (CISA KEV)
- 0
- Highest CVSS
7.5- Latest disclosed
- 2026-03-20
Recent CVEs (top 4)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33151 | High | 7.5 | — | 2026-03-20 | Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. |
CVE-2024-38355 | High | 7.3 | — | 2024-06-19 | Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. |
CVE-2020-28481 | Medium | 5.3 | — | 2021-01-19 | The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. |
CVE-2017-16031 | High | 7.5 | — | 2018-06-04 | Socket.io is a realtime application framework that provides communication via websockets. |
All-time worst (top 4 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33151 | High | 7.5 | — | 2026-03-20 | Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. |
CVE-2017-16031 | High | 7.5 | — | 2018-06-04 | Socket.io is a realtime application framework that provides communication via websockets. |
CVE-2024-38355 | High | 7.3 | — | 2024-06-19 | Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. |
CVE-2020-28481 | Medium | 5.3 | — | 2021-01-19 | The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. |