Impact
A specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory.
Patches
| Version range |
Used by |
Fixed version |
>=4.0.0 <4.2.6 |
socket.io@4.x and socket.io-client@4.x |
4.2.6 |
>=3.4.0 <3.4.4 |
socket.io@2.x |
3.4.4 |
<3.3.5 |
socket.io-client@2.x |
3.3.5 |
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
References
- b25738c
- 719f9eb (from the
socket.io-parser/3.4.x branch)
- 9d39f1f (from the
socket.io-parser/3.3.x branch)
x4cc3 Reporter
darrachequesne Analyst
Impact
A specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory.
Patches
>=4.0.0 <4.2.6socket.io@4.xandsocket.io-client@4.x4.2.6>=3.4.0 <3.4.4socket.io@2.x3.4.4<3.3.5socket.io-client@2.x3.3.5Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
References
socket.io-parser/3.4.xbranch)socket.io-parser/3.3.xbranch)