docs(security): add CVE-2026-33151

darrachequesne · darrachequesne · commit e4d016bd5b4d · 2026-03-18T09:09:12.000+01:00
[skip ci]
diff --git a/SECURITY.md b/SECURITY.md
@@ -37,33 +37,35 @@ We will get back to you as soon as possible and publish a fix if necessary.
 
 From the transitive dependencies:
 
-| Date          | Dependency         | Description                                                                                                   | CVE number       |
-|---------------|--------------------|---------------------------------------------------------------------------------------------------------------|------------------|
-| January 2016  | `ws`               | [Buffer vulnerability](https://github.com/advisories/GHSA-2mhh-w6q8-5hxw)                                     | `CVE-2016-10518` |
-| January 2016  | `ws`               | [DoS due to excessively large websocket message](https://github.com/advisories/GHSA-6663-c963-2gqg)           | `CVE-2016-10542` |
-| November 2017 | `ws`               | [DoS in the `Sec-Websocket-Extensions` header parser](https://github.com/advisories/GHSA-5v72-xg48-5rpm)      | `-`              |
-| February 2020 | `engine.io`        | [Resource exhaustion](https://github.com/advisories/GHSA-j4f2-536g-r55m)                                      | `CVE-2020-36048` |
-| January 2021  | `socket.io-parser` | [Resource exhaustion](https://github.com/advisories/GHSA-xfhh-g9f5-x4m4)                                      | `CVE-2020-36049` |
-| May 2021      | `ws`               | [ReDoS in `Sec-Websocket-Protocol` header](https://github.com/advisories/GHSA-6fc8-4gx4-v693)                 | `CVE-2021-32640` |
-| January 2022  | `engine.io`        | [Uncaught exception](https://github.com/advisories/GHSA-273r-mgr4-v34f)                                       | `CVE-2022-21676` |
-| October 2022  | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-qm95-pgcg-qqfq) | `CVE-2022-2421`  |
-| November 2022 | `engine.io`        | [Uncaught exception](https://github.com/advisories/GHSA-r7qp-cfhv-p84w)                                       | `CVE-2022-41940` |
-| May 2023      | `engine.io`        | [Uncaught exception](https://github.com/advisories/GHSA-q9mw-68c2-j6m5)                                       | `CVE-2023-31125` |
-| May 2023      | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-cqmj-92xf-r6r9) | `CVE-2023-32695` |
-| June 2024     | `ws`               | [DoS when handling a request with many HTTP headers](https://github.com/advisories/GHSA-3h5v-q93c-6h6q)       | `CVE-2024-37890` |
+| Date          | Dependency         | Description                                                                                                             | CVE number       |
+|---------------|--------------------|-------------------------------------------------------------------------------------------------------------------------|------------------|
+| January 2016  | `ws`               | [Buffer vulnerability](https://github.com/advisories/GHSA-2mhh-w6q8-5hxw)                                               | `CVE-2016-10518` |
+| January 2016  | `ws`               | [DoS due to excessively large websocket message](https://github.com/advisories/GHSA-6663-c963-2gqg)                     | `CVE-2016-10542` |
+| November 2017 | `ws`               | [DoS in the `Sec-Websocket-Extensions` header parser](https://github.com/advisories/GHSA-5v72-xg48-5rpm)                | `-`              |
+| February 2020 | `engine.io`        | [Resource exhaustion](https://github.com/advisories/GHSA-j4f2-536g-r55m)                                                | `CVE-2020-36048` |
+| January 2021  | `socket.io-parser` | [Resource exhaustion](https://github.com/advisories/GHSA-xfhh-g9f5-x4m4)                                                | `CVE-2020-36049` |
+| May 2021      | `ws`               | [ReDoS in `Sec-Websocket-Protocol` header](https://github.com/advisories/GHSA-6fc8-4gx4-v693)                           | `CVE-2021-32640` |
+| January 2022  | `engine.io`        | [Uncaught exception](https://github.com/advisories/GHSA-273r-mgr4-v34f)                                                 | `CVE-2022-21676` |
+| October 2022  | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-qm95-pgcg-qqfq)           | `CVE-2022-2421`  |
+| November 2022 | `engine.io`        | [Uncaught exception](https://github.com/advisories/GHSA-r7qp-cfhv-p84w)                                                 | `CVE-2022-41940` |
+| May 2023      | `engine.io`        | [Uncaught exception](https://github.com/advisories/GHSA-q9mw-68c2-j6m5)                                                 | `CVE-2023-31125` |
+| May 2023      | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-cqmj-92xf-r6r9)           | `CVE-2023-32695` |
+| June 2024     | `ws`               | [DoS when handling a request with many HTTP headers](https://github.com/advisories/GHSA-3h5v-q93c-6h6q)                 | `CVE-2024-37890` |
+| March 2026    | `socket.io-parser` | [Unbounded number of binary attachments](https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9) | `CVE-2026-33151` |
 
 ### For the `socket.io-client` package
 
 From the transitive dependencies:
 
-| Date          | Dependency         | Description                                                                                                   | CVE number       |
-|---------------|--------------------|---------------------------------------------------------------------------------------------------------------|------------------|
-| January 2016  | `ws`               | [Buffer vulnerability](https://github.com/advisories/GHSA-2mhh-w6q8-5hxw)                                     | `CVE-2016-10518` |
-| January 2016  | `ws`               | [DoS due to excessively large websocket message](https://github.com/advisories/GHSA-6663-c963-2gqg)           | `CVE-2016-10542` |
-| October 2016  | `engine.io-client` | [Insecure Defaults Allow MITM Over TLS](https://github.com/advisories/GHSA-4r4m-hjwj-43p8)                    | `CVE-2016-10536` |
-| November 2017 | `ws`               | [DoS in the `Sec-Websocket-Extensions` header parser](https://github.com/advisories/GHSA-5v72-xg48-5rpm)      | `-`              |
-| January 2021  | `socket.io-parser` | [Resource exhaustion](https://github.com/advisories/GHSA-xfhh-g9f5-x4m4)                                      | `CVE-2020-36049` |
-| May 2021      | `ws`               | [ReDoS in `Sec-Websocket-Protocol` header](https://github.com/advisories/GHSA-6fc8-4gx4-v693)                 | `CVE-2021-32640` |
-| October 2022  | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-qm95-pgcg-qqfq) | `CVE-2022-2421`  |
-| May 2023      | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-cqmj-92xf-r6r9) | `CVE-2023-32695` |
-| June 2024     | `ws`               | [DoS when handling a request with many HTTP headers](https://github.com/advisories/GHSA-3h5v-q93c-6h6q)       | `CVE-2024-37890` |
+| Date          | Dependency         | Description                                                                                                             | CVE number       |
+|---------------|--------------------|-------------------------------------------------------------------------------------------------------------------------|------------------|
+| January 2016  | `ws`               | [Buffer vulnerability](https://github.com/advisories/GHSA-2mhh-w6q8-5hxw)                                               | `CVE-2016-10518` |
+| January 2016  | `ws`               | [DoS due to excessively large websocket message](https://github.com/advisories/GHSA-6663-c963-2gqg)                     | `CVE-2016-10542` |
+| October 2016  | `engine.io-client` | [Insecure Defaults Allow MITM Over TLS](https://github.com/advisories/GHSA-4r4m-hjwj-43p8)                              | `CVE-2016-10536` |
+| November 2017 | `ws`               | [DoS in the `Sec-Websocket-Extensions` header parser](https://github.com/advisories/GHSA-5v72-xg48-5rpm)                | `-`              |
+| January 2021  | `socket.io-parser` | [Resource exhaustion](https://github.com/advisories/GHSA-xfhh-g9f5-x4m4)                                                | `CVE-2020-36049` |
+| May 2021      | `ws`               | [ReDoS in `Sec-Websocket-Protocol` header](https://github.com/advisories/GHSA-6fc8-4gx4-v693)                           | `CVE-2021-32640` |
+| October 2022  | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-qm95-pgcg-qqfq)           | `CVE-2022-2421`  |
+| May 2023      | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-cqmj-92xf-r6r9)           | `CVE-2023-32695` |
+| June 2024     | `ws`               | [DoS when handling a request with many HTTP headers](https://github.com/advisories/GHSA-3h5v-q93c-6h6q)                 | `CVE-2024-37890` |
+| March 2026    | `socket.io-parser` | [Unbounded number of binary attachments](https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9) | `CVE-2026-33151` |
