Description
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Remediation
References
https://blog.caller.xyz/socketio-engineio-dos/
https://github.com/bcaller/kill-engine-io
https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55
Related Vulnerabilities
CVE-2022-21680 Vulnerability in npm package marked
CVE-2022-0087 Vulnerability in npm package @keystone-6/auth
CVE-2021-30246 Vulnerability in maven package org.webjars.npm:jsrsasign
CVE-2022-2932 Vulnerability in npm package mobiledoc-kit
CVE-2020-28459 Vulnerability in npm package markdown-it-decorate