Source: node-socket.io-parser Version: 4.2.1+~3.1.0-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 4.2.1+~3.1.0-2
Hi, The following vulnerability was published for node-socket.io-parser. CVE-2026-33151[0]: | Socket.IO is an open source, real-time, bidirectional, event-based, | communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, | a specially crafted Socket.IO packet can make the server wait for a | large number of binary attachments and buffer them, which can be | exploited to make the server run out of memory. This issue has been | patched in versions 3.3.5, 3.4.4, and 4.2.6. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33151 https://www.cve.org/CVERecord?id=CVE-2026-33151 [1] https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9 Regards, Salvatore
