All socket.io CVEs — Complete Vulnerability History
socket.io is the most widely-used WebSocket library for Node.js. Its main CVE is a ReDoS vulnerability in socket ID parsing.
npm
5M+ weekly downloads
2 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2020-28469 | 2020 | HIGH | ReDoS via crafted socket ID | Fixed 2.4.0 |
| CVE-2023-32695 | 2023 | HIGH | ReDoS via specially crafted socket.id | Fixed 4.6.2 |
Current safe version: 4.6.2
# Before
"socket.io": "4.6.0"
# After
"socket.io": "4.6.2"
Then run: npm install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is socket.io ReDoS exploitable?
Yes — a malicious client can send a crafted socket ID that causes the server to hang during regex processing. In Node.js's single-threaded event loop, this can block all other connections.
Does this affect socket.io-client?
No — the ReDoS is server-side. The socket.io-client package is not affected.