Filtered by vendor Socket
Subscriptions
Filtered by product Socket.io
Subscriptions
Total
5 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-59724 | 1 Socket | 1 Socket.io | 2026-07-10 | 7.5 High |
| Socket.IO enables bidirectional and low-latency communication for every platform. From 6.5.0 before 6.6.7, Engine.IO servers with WebTransport enabled can resolve a crafted session ID such as __proto__ through an inherited property of the clients object during WebTransport upgrade handling, causing a TypeError and denial of service. This issue is fixed in version 6.6.7. | ||||
| CVE-2026-59725 | 2 Redhat, Socket | 2 Hummingbird, Socket.io | 2026-07-10 | 7.5 High |
| Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated attacker to exhaust server-side connections and sockets. This issue is fixed in version 6.6.7. | ||||
| CVE-2026-33151 | 1 Socket | 2 Socket.io, Socket.io-parser | 2026-04-15 | 7.5 High |
| Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6. | ||||
| CVE-2020-28481 | 1 Socket | 1 Socket.io | 2024-11-21 | 5.3 Medium |
| The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default. | ||||
| CVE-2017-16031 | 1 Socket | 1 Socket.io | 2024-11-21 | N/A |
| Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information. | ||||
Page 1 of 1.