CVE-2026-33151
Memory Exhaustion via Binary Attachment Buffering in Socket.IO
Publication date: 2026-03-20
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| socket | socket.io-parser | to 3.3.5 (exc) |
| socket | socket.io-parser | From 3.4.0 (inc) to 3.4.4 (exc) |
| socket | socket.io-parser | From 4.0.0 (inc) to 4.2.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-33151 is a high-severity vulnerability in the Socket.IO library's parser component. It arises because the parser accepts a specially crafted packet containing an unbounded number of binary attachments without proper limits. This causes the server to buffer all these attachments, which can exhaust the server's memory."}, {'type': 'paragraph', 'content': 'The vulnerability is due to improper input validation and inadequate handling of exceptional conditions, allowing an attacker to send packets with excessive binary attachments. This can lead to a denial-of-service (DoS) condition by making the server run out of memory.'}, {'type': 'paragraph', 'content': 'The issue has been fixed by introducing a default limit of 10 binary attachments per packet. If a packet declares more than this limit, the parser throws an error. This limit is configurable by providing a custom parser with a different maximum attachment count.'}] [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can be exploited by an attacker to cause a denial-of-service (DoS) condition on your server running Socket.IO. By sending a specially crafted packet with an excessive number of binary attachments, the server will attempt to buffer all attachments, leading to memory exhaustion.
As a result, the server may become unresponsive or crash, disrupting service availability and potentially causing downtime for applications relying on Socket.IO for real-time communication.
No known workarounds exist other than upgrading to a patched version of Socket.IO that enforces limits on binary attachments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises from the Socket.IO server accepting an unbounded number of binary attachments in a single packet, which can lead to memory exhaustion. Detection involves monitoring for unusually large or excessive binary attachment packets sent to the Socket.IO server.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to the number of binary attachments in Socket.IO packets, one way to detect it is by capturing and inspecting WebSocket traffic to identify packets with an unusually high number of binary attachments.'}, {'type': 'paragraph', 'content': 'You can use network packet capture tools such as tcpdump or Wireshark to capture WebSocket frames and analyze the packet headers for the number of binary attachments.'}, {'type': 'list_item', 'content': 'Use tcpdump to capture traffic on the port where your Socket.IO server is running, for example: tcpdump -i eth0 port 3000 -w capture.pcap'}, {'type': 'list_item', 'content': 'Open the capture file in Wireshark and filter for WebSocket frames to inspect the packet payloads.'}, {'type': 'list_item', 'content': "Look for packets where the first frame contains a packet type indicator (e.g., '5'), the number of binary attachments, and a JSON payload with placeholders."}, {'type': 'paragraph', 'content': 'Alternatively, monitoring server logs or application-level metrics for errors related to "too many attachments" or memory exhaustion can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the resources, but inspecting WebSocket traffic and monitoring for errors related to attachment limits are recommended approaches.'}] [1, 2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary and immediate mitigation step is to upgrade the Socket.IO library to a patched version that includes the fix for CVE-2026-33151.'}, {'type': 'list_item', 'content': 'Upgrade to Socket.IO versions 3.3.5, 3.4.4, or 4.2.6 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The fix enforces a default limit of 10 binary attachments per packet to prevent memory exhaustion attacks.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider implementing application-level controls to limit the size and number of binary attachments accepted by the server.'}, {'type': 'paragraph', 'content': 'The patch also allows configuring the maximum number of binary attachments by subclassing the Decoder with a custom maxAttachments option.'}, {'type': 'list_item', 'content': 'Example of configuring a custom limit (e.g., 20 attachments):\n```js\nimport { Encoder, Decoder } from "socket.io-parser";\nconst io = new Server({\n parser: {\n Encoder,\n Decoder: class extends Decoder {\n constructor() {\n super({ maxAttachments: 20 });\n }\n }\n }\n});\n```'}, {'type': 'paragraph', 'content': 'No known workarounds exist other than upgrading to a patched version.'}] [1, 2, 3, 4]