CVE-2026-33151: socket.io allows an unbounded number of binary attachments
A specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory.
References
- github.com/advisories/GHSA-677m-j7p3-52f9
- github.com/socketio/socket.io
- github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4
- github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf
- github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78
- github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9
- nvd.nist.gov/vuln/detail/CVE-2026-33151
Code Behaviors & Features
Detect and mitigate CVE-2026-33151 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →