CVE-2026-33151

ADVISORY - github

Summary

Impact

A specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory.

Patches

Version range	Used by	Fixed version
`>=4.0.0 <4.2.6`	`socket.io@4.x` and `socket.io-client@4.x`	`4.2.6`
`>=3.4.0 <3.4.4`	`socket.io@2.x`	`3.4.4`
`<3.3.5`	`socket.io-client@2.x`	`3.3.5`

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-20⁠

Improper Input Validation

CWE-754⁠

Improper Check for Unusual or Exceptional Conditions

ADVISORY - github

CWE-754⁠

Improper Check for Unusual or Exceptional Conditions

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.