socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used. Reference: https://github.com/bcaller/kill-engine-io https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55
External References: https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056753
Similar to CVE-2020-36048, i think this should have an Important impact as it's primary use is to decode packets as part of the socket.io library. So again, results in a remote DoS. However again leaving Quay affects as Low, as these look like dev dependencies to me but want to confirm with engineering. $ npm list --prod | grep socket
Upstream fix: https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55