Security Policy
March 18, 2026 ยท View on GitHub
Supported Versions
| Version | Supported |
|---|---|
| 4.x | :white_check_mark: |
| 3.x | :white_check_mark: |
| 2.4.x | :white_check_mark: |
| < 2.4.0 | :x: |
Reporting a Vulnerability
To report a security vulnerability in this package, please send an email to @darrachequesne (see address in profile) describing the vulnerability and how to reproduce it.
We will get back to you as soon as possible and publish a fix if necessary.
:warning: IMPORTANT :warning: please do not create an issue in this repository, as attackers might take advantage of it. Thank you in advance for your responsible disclosure.
History
For the socket.io package
| Date | Description | CVE number | Affected versions | Patched versions |
|---|---|---|---|---|
| July 2012 | Insecure randomness | CVE-2017-16031 | <= 0.9.6 | 0.9.7 |
| January 2021 | CORS misconfiguration | CVE-2020-28481 | < 2.4.0 | 2.4.0 |
| June 2024 | Unhandled 'error' event | CVE-2024-38355 | < 2.5.1 >= 3.0.0, < 4.6.2 | 2.5.1 4.6.2 |
From the transitive dependencies:
| Date | Dependency | Description | CVE number |
|---|---|---|---|
| January 2016 | ws | Buffer vulnerability | CVE-2016-10518 |
| January 2016 | ws | DoS due to excessively large websocket message | CVE-2016-10542 |
| November 2017 | ws | DoS in the Sec-Websocket-Extensions header parser | - |
| February 2020 | engine.io | Resource exhaustion | CVE-2020-36048 |
| January 2021 | socket.io-parser | Resource exhaustion | CVE-2020-36049 |
| May 2021 | ws | ReDoS in Sec-Websocket-Protocol header | CVE-2021-32640 |
| January 2022 | engine.io | Uncaught exception | CVE-2022-21676 |
| October 2022 | socket.io-parser | Insufficient validation when decoding a Socket.IO packet | CVE-2022-2421 |
| November 2022 | engine.io | Uncaught exception | CVE-2022-41940 |
| May 2023 | engine.io | Uncaught exception | CVE-2023-31125 |
| May 2023 | socket.io-parser | Insufficient validation when decoding a Socket.IO packet | CVE-2023-32695 |
| June 2024 | ws | DoS when handling a request with many HTTP headers | CVE-2024-37890 |
| March 2026 | socket.io-parser | Unbounded number of binary attachments | CVE-2026-33151 |
For the socket.io-client package
From the transitive dependencies:
| Date | Dependency | Description | CVE number |
|---|---|---|---|
| January 2016 | ws | Buffer vulnerability | CVE-2016-10518 |
| January 2016 | ws | DoS due to excessively large websocket message | CVE-2016-10542 |
| October 2016 | engine.io-client | Insecure Defaults Allow MITM Over TLS | CVE-2016-10536 |
| November 2017 | ws | DoS in the Sec-Websocket-Extensions header parser | - |
| January 2021 | socket.io-parser | Resource exhaustion | CVE-2020-36049 |
| May 2021 | ws | ReDoS in Sec-Websocket-Protocol header | CVE-2021-32640 |
| October 2022 | socket.io-parser | Insufficient validation when decoding a Socket.IO packet | CVE-2022-2421 |
| May 2023 | socket.io-parser | Insufficient validation when decoding a Socket.IO packet | CVE-2023-32695 |
| June 2024 | ws | DoS when handling a request with many HTTP headers | CVE-2024-37890 |
| March 2026 | socket.io-parser | Unbounded number of binary attachments | CVE-2026-33151 |