socket.io-parser

npm4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting socket.io-parserpage 1 of 1

CVE-2020-36049HIGHCVSS 7.5EG 7.5✓ Fixed in 3.4.1
2021-01-08
vulnerable: 3.4.0
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
CVE-2022-2421CRITICALCVSS 10.0EG 10.0✓ Fixed in 3.4.2
2022-10-26
Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
CVE-2023-32695HIGHCVSS 7.3EG 7.3✓ Fixed in 3.3.4
2023-05-27
socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node…
CVE-2026-33151HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.6
2026-03-20
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments …

Check whether socket.io-parser is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for socket.io-parser CVEs against the assets you own.

Start Free Scan →