{"id":"CVE-2022-25867","details":"The package io.socket:socket.io-client before 2.0.1 are vulnerable to NULL Pointer Dereference when parsing a packet with with invalid payload format.","aliases":["GHSA-85xx-xhjm-rhrw"],"modified":"2026-04-11T22:01:35.658109Z","published":"2022-08-02T14:15:10.103Z","references":[{"type":"ADVISORY","url":"https://github.com/socketio/socket.io-client-java/releases/tag/socket.io-client-2.0.1"},{"type":"ADVISORY","url":"https://github.com/socketio/socket.io-client-java/issues/508%23issuecomment-1179817361"},{"type":"FIX","url":"https://security.snyk.io/vuln/SNYK-JAVA-IOSOCKET-2949738"},{"type":"FIX","url":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"type":"FIX","url":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/socketio/socket.io-client-java","events":[{"introduced":"0"},{"fixed":"b46da92382a94751b040f5961d523e6b4fa88f92"},{"fixed":"8664499b6f31154f49783531f778dac5387b766b"},{"fixed":"e8ffe9d1383736f6a21090ab959a2f4fa5a41284"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.0.1"}]}}],"versions":["socket.io-client-0.1.0","socket.io-client-0.1.1","socket.io-client-0.1.2","socket.io-client-0.1.3","socket.io-client-0.2.0","socket.io-client-0.3.0","socket.io-client-0.4.0","socket.io-client-0.4.1","socket.io-client-0.4.2","socket.io-client-0.5.0","socket.io-client-0.5.1","socket.io-client-0.5.2","socket.io-client-0.6.0","socket.io-client-0.6.2","socket.io-client-0.6.3","socket.io-client-0.7.0","socket.io-client-0.8.0","socket.io-client-0.8.1","socket.io-client-0.8.2","socket.io-client-0.8.3","socket.io-client-0.9.0","socket.io-client-1.0.0","socket.io-client-1.0.1","socket.io-client-2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25867.json","vanir_signatures":[{"digest":{"length":1481,"function_hash":"155039469940386019455845258574245382871"},"signature_type":"Function","deprecated":false,"target":{"file":"src/main/java/io/socket/client/Manager.java","function":"onopen"},"id":"CVE-2022-25867-0c60e5c5","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"line_hashes":["330351884232202267787130115367427524289","155993963846029726483332803758760818666","114592027837759442858847963566984970371","222307447661280100408270271903855654644","103423697403334210056011945958265846995","137547804320678982160556888762110102990","51146656315081352513844048987420068213","144909829009410704598234761018204933459","276099171136506276147276727079541770177","63449750779681841472008540675864904823","108162716819168662831186691028501926094","191679573230260346888028769194634881468","110599488653969413567111566202875718249","180225986859128937346504401972119021574","191659189624514619283189434269158729290","58324916380185471841697235065884853567","206999450170448514940640278334497546156","51538874068723634485169658885875709659","110877718632102977348873291911019390309"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"src/main/java/io/socket/client/Manager.java"},"id":"CVE-2022-25867-10215edb","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"length":1117,"function_hash":"323922742327221369151813226364361089600"},"signature_type":"Function","deprecated":false,"target":{"file":"src/main/java/io/socket/client/Manager.java","function":"onopen"},"id":"CVE-2022-25867-11d95d84","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"length":408,"function_hash":"70597917026141690223191826143879543719"},"signature_type":"Function","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ByteArrayTest.java","function":"encodeByteArrayDeepInJson"},"id":"CVE-2022-25867-17929c9f","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"line_hashes":["288603564831520194365938669999527539039","15443075338282085710766430325578478879","266807285816256519356564128641074790475","79059387198834139398806162249551166466","59437927496811949472673114489955237898","16378709719166551229015074467394304791","323592228835755047393068168514054313422","305923234698752830768282781185913101440","128335492556745160063143975696060537180","319295350110876249966077323512158804423","139106281154675989991554612194414760889","313201166436295185442082260814228928343","151983731337828388025729234043354048455","280033135824125570550515884858582018943","206808288277910031067639298856099572625","62857970291546491322099179329616852514","262714240699976427160528564632776152724","305693823433079522912660184665330671391","57917637913496150298032194618827208502","215779876998246325796626369424526735185","254568047225412264018822820763192925699","263547640131338004714259664119201732258","33384396784193127022364626030868101467","35031503367406367230514223571283468196","315976865793848207931550738648190072176","57142979980305532528152076017573460697","120184185082169093823677426798299070141"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"src/main/java/io/socket/parser/IOParser.java"},"id":"CVE-2022-25867-2e76c8ad","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"length":422,"function_hash":"126427260856981178354654855963014288413"},"signature_type":"Function","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ParserTest.java","function":"decodeInError"},"id":"CVE-2022-25867-337ee4a0","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"length":225,"function_hash":"214337505465570388417814207362912847702"},"signature_type":"Function","deprecated":false,"target":{"file":"src/main/java/io/socket/client/Manager.java","function":"call"},"id":"CVE-2022-25867-399f96e7","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"line_hashes":["269189631608018628783737945980697426338","14573765729623747936242599497382791219","121968831759675192768773680298388720369"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ParserTest.java"},"id":"CVE-2022-25867-3f22d64a","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"line_hashes":["94238245849690055776733890512580557144","133180078831256950317618517356016286330","207213122397558494108283864262317668325","122112420187721558789573035827374519801","278349400367920235569251780410605594837","111243925653825356868851864485153641346","51276178502341892755256213176177859697","301879898753269044612955752157856234181","208969016493228184399890410996416840831","334968619380632054071134232732141638101","246979572431205016719624711003798763871","250873568270127772824705796117157112366","274836480468834754093088942119916639064","136393982015616001105975997591502370107","41318188878015176963742778849741880103","334756858996575686001027776685538125597"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/Helpers.java"},"id":"CVE-2022-25867-40491f46","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"length":69,"function_hash":"178710714199927938745323101480645028447"},"signature_type":"Function","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/Helpers.java","function":"call"},"id":"CVE-2022-25867-441798ac","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"length":1879,"function_hash":"92422203340474926550443281726311871988"},"signature_type":"Function","deprecated":false,"target":{"file":"src/main/java/io/socket/parser/IOParser.java","function":"decodeString"},"id":"CVE-2022-25867-48de5bde","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"length":1761,"function_hash":"22618327027185820300069513878694498163"},"signature_type":"Function","deprecated":false,"target":{"file":"src/main/java/io/socket/parser/IOParser.java","function":"decodeString"},"id":"CVE-2022-25867-4b628a7a","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"length":225,"function_hash":"214337505465570388417814207362912847702"},"signature_type":"Function","deprecated":false,"target":{"file":"src/main/java/io/socket/client/Manager.java","function":"call"},"id":"CVE-2022-25867-4f0444fb","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"length":173,"function_hash":"112944683551038721855475404685985638829"},"signature_type":"Function","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ByteArrayTest.java","function":"encodeByteArray2"},"id":"CVE-2022-25867-5238eeb5","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"line_hashes":["222307447661280100408270271903855654644","103423697403334210056011945958265846995","137547804320678982160556888762110102990","51146656315081352513844048987420068213","144909829009410704598234761018204933459","276099171136506276147276727079541770177","63449750779681841472008540675864904823","175677854661775611010073699219686998153","265104162537027909692604566300869247930","60384799861684396923173736554915127837","233079271236022527809654550124577392988","334353022424261598672514272424357292303","43564047231554041310739841207344903156","179490372741552773864707043236110188484","62297084573142657499941013054959228120","294842843886522386085322210674637276723","329373301809027826999721196839753302178","90572213038040735274262416326019841552","334353022424261598672514272424357292303","43564047231554041310739841207344903156","179490372741552773864707043236110188484","169023894476189725511837481431359229812","221804436680520198239341253726436398625","110877718632102977348873291911019390309"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"src/main/java/io/socket/client/Manager.java"},"id":"CVE-2022-25867-560a7467","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"length":168,"function_hash":"204166515592920553489127799559742805006"},"signature_type":"Function","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ByteArrayTest.java","function":"encodeByteArray2"},"id":"CVE-2022-25867-58d1d44d","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"length":296,"function_hash":"188005209971846718456536144872794840639"},"signature_type":"Function","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ByteArrayTest.java","function":"encodeDeepBinaryJSONWithNullValue"},"id":"CVE-2022-25867-5a2e8dcd","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"line_hashes":["94238245849690055776733890512580557144","133180078831256950317618517356016286330","277847541832062921134866598232159840774","210925262936132139554181240305776883598","195901139841702013903746216719160945339","133308813231207924035976929120450225049","106500292322008705824168062070608356540","3798448105526232460118391810149751431","324612372480211175524652808820054762788","70512390123679233209389854772796755253","312760577539159460909843129029185828827","247549691444917315111388294769195213511","106986818169959903001451311777231406742","324101447060866546129328860568813000341","12084278803998680857896914580904209778","231502664823332809976503690176763191944","110484007297038872466533763167873141364","136709469045096277873884578854727507534","86553291645369550712612845325477687057","161879002293776870660578428814178915038","258032804909825627144766731609201621432","81774182557928218687309435088553573650","32039212388845050715134370557838681118","246511126125611105686653069270469266869","40633985980171446033766331823318661445","109212433362270783226740382652215573746","307445133452431518988712725339401914366","198094818745506945232646406054350312292","158959541403471124445477622941279250794","94252167666969432427833898555347044100","127618413627684259171771024159499929252","153761612230287572655742427907461266632","137959505591415166735754348134779230847"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ByteArrayTest.java"},"id":"CVE-2022-25867-5fb73e12","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"length":206,"function_hash":"31593748012692812889959604266787137477"},"signature_type":"Function","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ByteArrayTest.java","function":"encodeByteArray"},"id":"CVE-2022-25867-6302fdb8","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"length":72,"function_hash":"199816967162229504358665127724796251189"},"signature_type":"Function","deprecated":false,"target":{"file":"src/main/java/io/socket/client/Manager.java","function":"ondata"},"id":"CVE-2022-25867-663f63f9","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"length":72,"function_hash":"199816967162229504358665127724796251189"},"signature_type":"Function","deprecated":false,"target":{"file":"src/main/java/io/socket/client/Manager.java","function":"ondata"},"id":"CVE-2022-25867-8fbeb5b0","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"length":422,"function_hash":"126427260856981178354654855963014288413"},"signature_type":"Function","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ParserTest.java","function":"decodeInError"},"id":"CVE-2022-25867-93e43e72","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"length":138,"function_hash":"178256102899245578013219693735217509739"},"signature_type":"Function","deprecated":false,"target":{"file":"src/main/java/io/socket/client/Manager.java","function":"ondata"},"id":"CVE-2022-25867-960230e6","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"length":68,"function_hash":"332180544957537797100064154126508377303"},"signature_type":"Function","deprecated":false,"target":{"file":"src/main/java/io/socket/parser/IOParser.java","function":"error"},"id":"CVE-2022-25867-b9a5c01a","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"line_hashes":["94238245849690055776733890512580557144","133180078831256950317618517356016286330","277847541832062921134866598232159840774","210925262936132139554181240305776883598","195901139841702013903746216719160945339","133308813231207924035976929120450225049","106500292322008705824168062070608356540","3798448105526232460118391810149751431","324612372480211175524652808820054762788","279955952037762226704836918190727644072","71359213420542349620598470962533381188","338686438415964209792006857260363586849","171926862043464394639632938663201224107","12084278803998680857896914580904209778","288420503210052451976253847414604436468","153189052179132598341476071698655762081","11277500507056154793546597225265752548","103768160822141730253795347311758407196","161879002293776870660578428814178915038","258032804909825627144766731609201621432","81774182557928218687309435088553573650","32039212388845050715134370557838681118","326804524966583022787943353315274487042","326564268665324641843343098171175736432","112508828094635244235154492418677453490","77346130834140025449674242945035406115","198094818745506945232646406054350312292","158959541403471124445477622941279250794","210987834582175452421955818569567764719","28377400541050044022708811860014928183","147131802310384635435553080240682315863","119182149109773169623989132681692119653"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ByteArrayTest.java"},"id":"CVE-2022-25867-ccfcd446","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"line_hashes":["288603564831520194365938669999527539039","15443075338282085710766430325578478879","266807285816256519356564128641074790475","204087852258886317367644981924637591548","81301933382191975383967456894446684033","305918127084691962467330016408346751785","63787025206940967262287090865913626892","315976865793848207931550738648190072176","57142979980305532528152076017573460697","120184185082169093823677426798299070141"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"src/main/java/io/socket/parser/IOParser.java"},"id":"CVE-2022-25867-d19542d3","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"length":403,"function_hash":"862704848921722933330526036219367124"},"signature_type":"Function","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ByteArrayTest.java","function":"encodeByteArrayDeepInJson"},"id":"CVE-2022-25867-dc5f47b3","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"length":262,"function_hash":"309278589394794552611978371824915736461"},"signature_type":"Function","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/Helpers.java","function":"testDecodeError"},"id":"CVE-2022-25867-dd29aeb0","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"},{"digest":{"length":211,"function_hash":"184130053973997845548317344239987455514"},"signature_type":"Function","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ByteArrayTest.java","function":"encodeByteArray"},"id":"CVE-2022-25867-e58cd2b9","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"length":138,"function_hash":"178256102899245578013219693735217509739"},"signature_type":"Function","deprecated":false,"target":{"file":"src/main/java/io/socket/client/Manager.java","function":"ondata"},"id":"CVE-2022-25867-efaa3a2f","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"line_hashes":["269189631608018628783737945980697426338","14573765729623747936242599497382791219","121968831759675192768773680298388720369"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ParserTest.java"},"id":"CVE-2022-25867-f7bfbd3e","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/e8ffe9d1383736f6a21090ab959a2f4fa5a41284"},{"digest":{"length":291,"function_hash":"175086423678421437849067288517186540843"},"signature_type":"Function","deprecated":false,"target":{"file":"src/test/java/io/socket/parser/ByteArrayTest.java","function":"encodeDeepBinaryJSONWithNullValue"},"id":"CVE-2022-25867-ff56a16e","signature_version":"v1","source":"https://github.com/socketio/socket.io-client-java/commit/8664499b6f31154f49783531f778dac5387b766b"}],"vanir_signatures_modified":"2026-04-11T22:01:35Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}