CVE-2026-33151

ADVISORY - github

Summary

Impact

A specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory.

Patches

Version range	Used by	Fixed version
`>=4.0.0 <4.2.6`	`socket.io@4.x` and `socket.io-client@4.x`	`4.2.6`
`>=3.4.0 <3.4.4`	`socket.io@2.x`	`3.4.4`
`<3.3.5`	`socket.io-client@2.x`	`3.3.5`

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-20⁠

Improper Input Validation

CWE-754⁠

Improper Check for Unusual or Exceptional Conditions

ADVISORY - github

CWE-754⁠

Improper Check for Unusual or Exceptional Conditions

Impacted images

Advisories

NIST

CREATED

20 hours ago

UPDATED

20 hours ago

ADVISORY IDCVE-2026-33151⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-20⁠CWE-754⁠

CVSS SCORE

8.7high

GitHub

CREATED

3 days ago

UPDATED

20 hours ago

ADVISORY IDGHSA-677m-j7p3-52f9⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-754⁠

CVSS SCORE

8.7high

Debian

CREATED

7 hours ago

UPDATED

7 hours ago

ADVISORY IDCVE-2026-33151⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

2 days ago

UPDATED

2 days ago

ADVISORY ID

CGA-459v-c6c8-7cxf

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY