socket.io allows an unbounded number of binary attachments
A specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory.
Advisories for Npm/Socket.io-Parser package
2026
2023
Insufficient validation when decoding a Socket.IO packet
A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. TypeError: Cannot convert object to primitive value at Socket.emit (node:events:507:25) at …/node_modules/socket.io/lib/socket.js:531:14
2022
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
2021
Uncontrolled Resource Consumption
socket.io-parser allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.