{"id":"GHSA-xfhh-g9f5-x4m4","summary":"Resource exhaustion in socket.io-parser","details":"The `socket.io-parser` npm package before versions 3.3.2 and 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.","aliases":["CVE-2020-36049"],"modified":"2023-11-08T04:03:40.136588Z","published":"2021-06-30T16:51:31Z","database_specific":{"severity":"HIGH","cwe_ids":["CWE-400"],"github_reviewed":true,"github_reviewed_at":"2021-04-06T23:06:09Z","nvd_published_at":"2021-01-08T00:15:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36049"},{"type":"WEB","url":"https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55"},{"type":"WEB","url":"https://blog.caller.xyz/socketio-engineio-dos"},{"type":"WEB","url":"https://github.com/bcaller/kill-engine-io"},{"type":"WEB","url":"https://github.com/socketio/socket.io-parser/releases/tag/3.3.2"},{"type":"WEB","url":"https://github.com/socketio/socket.io-parser/releases/tag/3.4.1"},{"type":"WEB","url":"https://www.npmjs.com/package/socket.io-parser"}],"affected":[{"package":{"name":"socket.io-parser","ecosystem":"npm","purl":"pkg:npm/socket.io-parser"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.3.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-xfhh-g9f5-x4m4/GHSA-xfhh-g9f5-x4m4.json"}},{"package":{"name":"socket.io-parser","ecosystem":"npm","purl":"pkg:npm/socket.io-parser"},"ranges":[{"type":"SEMVER","events":[{"introduced":"3.4.0"},{"fixed":"3.4.1"}]}],"versions":["3.4.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-xfhh-g9f5-x4m4/GHSA-xfhh-g9f5-x4m4.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}