Socket.IO — CVE history (npm)

Socket.IO

4 CVEs affect the Socket.IO npm package (highest CVSS 7.5). Latest disclosed: 2026-03-20. Full CVE history sourced from NVD.

Summary

Package
Socket.IO (npm)
Total CVEs
4
Actively exploited (CISA KEV)
0
Highest CVSS
7.5
Latest disclosed
2026-03-20

Recent CVEs (top 4)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33151High7.52026-03-20Socket.IO is an open source, real-time, bidirectional, event-based, communication framework.
CVE-2024-38355High7.32024-06-19Socket.IO is an open source, real-time, bidirectional, event-based, communication framework.
CVE-2020-28481Medium5.32021-01-19The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration.
CVE-2017-16031High7.52018-06-04Socket.io is a realtime application framework that provides communication via websockets.

All-time worst (top 4 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33151High7.52026-03-20Socket.IO is an open source, real-time, bidirectional, event-based, communication framework.
CVE-2017-16031High7.52018-06-04Socket.io is a realtime application framework that provides communication via websockets.
CVE-2024-38355High7.32024-06-19Socket.IO is an open source, real-time, bidirectional, event-based, communication framework.
CVE-2020-28481Medium5.32021-01-19The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration.