Login Sign Up

CVE-2020-36049

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in socket.io-parser allows attackers to cause denial of service through memory exhaustion by sending specially crafted large packets. The parser uses inefficient string concatenation that consumes excessive memory when processing large payloads. Any application using vulnerable versions of socket.io-parser for WebSocket communication is affected.

💻 Affected Systems

Products:
  • socket.io-parser
  • socket.io
  • socket.io-client
  • engine.io
Versions: All versions before 3.4.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using socket.io for real-time communication is vulnerable if using affected parser versions.

📦 What is this software?

Socket.io Parser by Socket

View all CVEs affecting Socket.io Parser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to memory exhaustion, potentially requiring server restart and causing extended downtime.

🟠

Likely Case

Degraded performance and intermittent service disruptions as memory consumption spikes during attacks.

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits in place, though some performance degradation may still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept tools exist (kill-engine-io), making exploitation trivial for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.1

Vendor Advisory: https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55

Restart Required: Yes

Instructions:

1. Update socket.io-parser to version 3.4.1 or later. 2. Update socket.io and related dependencies. 3. Restart the application/service. 4. Test WebSocket functionality.

🔧 Temporary Workarounds

Rate Limiting

all

Implement rate limiting on WebSocket connections to restrict packet frequency and size.

Memory Limits

all

Configure application memory limits and automatic restart policies to mitigate complete exhaustion.

🧯 If You Can't Patch

  • Implement network-level filtering to block unusually large WebSocket packets.
  • Deploy Web Application Firewall (WAF) with WebSocket protection rules.

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/socket.io-parser/package.json for version number.

Check Version:

npm list socket.io-parser

Verify Fix Applied:

Confirm socket.io-parser version is 3.4.1 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual memory consumption spikes
  • Process crashes/restarts
  • High packet size warnings

Network Indicators:

  • Large WebSocket packets (>1MB)
  • High frequency of WebSocket connections

SIEM Query:

source="application.logs" AND ("memory spike" OR "out of memory") AND process="node"

📊 Metadata

CVE ID: CVE-2020-36049
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
Published: January 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36049, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)