Security Bulletin: IBM Maximo Application Suite - Manage Component uses socket.io-parser-4.2.4 in inspections app which is vulnerable to CVE-2026-33151

Summary IBM Maximo Application Suite - Manage Component uses socket.io-parser-4.2.4 in inspections app which is vulnerable to CVE-2026-33151 Vulnerability Details CVEID:CVE-2026-33151 DESCRIPTION: Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior t...

0.edsql (>=1.0.49 <=1.0.50), 10secondsofcode-custom (=1.0.0) +1925 more potentially affected by CVE-2026-33151 via socket.io-parser (>=4.0.1-rc1 <=4.2.5)

socket.io-parser NPM version =4.0.1-rc1, =1.0.49, =1.0.0, =0.0.28, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =1.0.1, =0.8.2, =1.0.0, =0.1.13, =0.0.4, =0.0.9 and more Source cves: CVE-2026-33151 Source advisory: OSV:GHSA-677M-J7P3-52F9...

Allocation of Resources Without Limits or Throttling

Overview socket.io-parser is a socket.io protocol parser Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Decoder class, which accepts an unlimited number of binary attachments. An attacker can exploit this to exhaust server memory...

@abcpros/bitcore-build (>=8.25.29 <=8.25.30), @acanto/october-scripts (=3.2.2) +1124 more potentially affected by CVE-2026-33151 via socket.io-parser (>=3.1.1 <=3.3.4)

socket.io-parser NPM version =3.1.1, =8.25.29, =1.0.0, =2018.7.11-0, =0.1.14, =1.0.2, =1.0.0, =1.2.0, =0.2.0-preview.3, =0.2.0, =1.0.10, =3.3.91, =3.3.114 and more Source cves: CVE-2026-33151 Source advisory: SNYK:JS-SOCKETIOPARSER-15680278...

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:socket.io-parser is a socket.io protocol parser Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Decoder class, which accepts an unlimited number of binary attachments. An attacker can exploit this to exhaust...

0.edsql (>=1.0.49 <=1.0.50), 10secondsofcode-custom (=1.0.0) +1925 more potentially affected by CVE-2026-33151 via socket.io-parser (>=4.0.1-rc1 <=4.2.5)

socket.io-parser NPM version =4.0.1-rc1, =1.0.49, =1.0.0, =0.0.28, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =1.0.1, =0.8.2, =1.0.0, =0.1.13, =0.0.4, =0.0.9 and more Source cves: CVE-2026-33151 Source advisory: SNYK:JS-SOCKETIOPARSER-15680278...

@ckeditor/ckeditor-cloud-services-collaboration (>=23.0.0 <=29.0.0), @ckeditor/ckeditor5-real-time-collaboration (>=29.1.0 <=33.0.0) +2 more potentially affected by CVE-2026-33151 via socket.io-parser (=3.4.1)

socket.io-parser NPM version =3.4.1 is affected by a known vulnerability. The following packages have a transitive dependency on socket.io-parser and may be impacted: - @ckeditor/ckeditor-cloud-services-collaboration =23.0.0, =29.1.0, =29.0.0, =1.5.3, =2.1.0 Source cves: CVE-2026-33151 Source...

EUVD-2021-1424

Malware in sbrugna...

0.edsql (>=1.0.49 <=1.0.50), 10secondsofcode-custom (=1.0.0) +1916 more potentially affected by CVE-2023-32695 via socket.io-parser (>=4.0.5 <=4.2.2)

socket.io-parser NPM version =4.0.5, =1.0.49, =1.0.0, =0.0.28, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =1.0.1, =0.8.2, =1.0.0, =0.1.13, =0.0.4, =0.0.9 and more Source cves: CVE-2023-32695 Source advisory: OSV:GHSA-CQMJ-92XF-R6R9...

GHSA-CQMJ-92XF-R6R9 Insufficient validation when decoding a Socket.IO packet

Impact A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. TypeError: Cannot convert object to primitive value at Socket.emit node:events:507:25 at .../nodemodules/socket.io/lib/socket.js:531:14 Patches A fix has been...

10cartsharing (>=1.0.0 <=1.0.3), 1api (>=0.0.1 <=0.0.2) +7956 more potentially affected by CVE-2023-32695 via socket.io-parser (>=2.2.2 <=3.3.0)

socket.io-parser NPM version =2.2.2, =1.0.0, =0.0.1, =0.0.1, =0.1.0, =1.0.2, =1.0.1, =2.16.1, =1.0.0-RC.1, =0.1.0, =1.0.1, =1.0.3 and more Source cves: CVE-2023-32695 Source advisory: OSV:GHSA-CQMJ-92XF-R6R9...

Type Confusion

socket.io-parser is vulnerable to type confusion. It is possible to overwrite the placeholder object due to improper type validation of attachment parsing in the reconstructPacket function, which allows an attacker to place references to functions at arbitrary places in the resulting query object...

@asigna/stx-core-sdk (=0.0.1), @casper124578/use-socket.io (>=2.1.0 <=4.1.0) +133 more potentially affected by CVE-2022-2421 via socket.io-parser (=4.1.2)

socket.io-parser NPM version =4.1.2 is affected by a known vulnerability. The following packages have a transitive dependency on socket.io-parser and may be impacted: - @asigna/stx-core-sdk =0.0.1 - @casper124578/use-socket.io =2.1.0, =31.0.0, =34.0.0, =34.0.0, =1.0.0, =1.0.0, =1.0.1, =0.6.0,...

Resource exhaustion in socket.io-parser

Overview The socket.io-parser npm package before versions 3.3.2 and 3.4.1 allows attackers to cause a denial of service memory consumption via a large packet because a concatenation approach is used. Recommendation Upgrade to versions 3.3.2, 3.4.1 or later References - CVE - GitHub Advisory...

GHSA-XFHH-G9F5-X4M4 Resource exhaustion in socket.io-parser

The socket.io-parser npm package before versions 3.3.2 and 3.4.1 allows attackers to cause a denial of service memory consumption via a large packet because a concatenation approach is used...

Resource exhaustion in socket.io-parser

The socket.io-parser npm package before versions 3.3.2 and 3.4.1 allows attackers to cause a denial of service memory consumption via a large packet because a concatenation approach is used...

CVE-2020-36049

An uncontrolled resource consumption vulnerability was found in socket.io-parser. If an attacker crafts a packet with a very large payload length, this can cause the parser to consume an ever-increasing amount of memory, resulting in a denial of service. The highest threat from this vulnerability...

Denial Of Service (DoS)

socket.io-parser is vulnerable to denial of service. The vulnerability exists due to the building up of ConsOneByteString objects caused by a concatenation approach when maxHttpBufferSize is set to a large size...

CVE-2020-36049

socket.io-parser before 3.4.1 allows attackers to cause a denial of service memory consumption via a large packet because a concatenation approach is used...

DEBIAN-CVE-2020-36049

socket.io-parser before 3.4.1 allows attackers to cause a denial of service memory consumption via a large packet because a concatenation approach is used...