Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable, low-complexity crafted session ID, no auth or interaction, causing only a crash - availability-only A:H with C:N/I:N; the WebTransport prerequisite is a config condition, not a CVSS base metric.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Socket.IO enables bidirectional and low-latency communication for every platform. From 6.5.0 before 6.6.7, Engine.IO servers with WebTransport enabled can resolve a crafted session ID such as __proto__ through an inherited property of the clients object during WebTransport upgrade handling, causing a TypeError and denial of service. This issue is fixed in version 6.6.7.
AnalysisAI
Denial of service in Engine.IO 6.5.0 through 6.6.6 (the transport layer beneath Socket.IO) lets remote unauthenticated attackers crash the server by supplying a crafted session ID like '__proto__' during a WebTransport upgrade. Because the session ID is looked up against the internal clients object without guarding inherited properties, the resolved value is a prototype function rather than a client, triggering a TypeError that terminates request handling. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Engine.IO server must have WebTransport enabled - this is the exact, non-default configuration prerequisite; servers using only polling or WebSocket transports are not exploitable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H yields 7.5 (High) and is internally consistent: network-reachable, low-complexity, unauthenticated, availability-only impact with no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker points a WebTransport-capable client at an Internet-exposed Engine.IO server (6.5.0-6.6.6) that has WebTransport enabled and initiates an upgrade using a session ID of '__proto__'. The server indexes its clients object with that key, receives an inherited function instead of a client object, and throws an unhandled TypeError that disrupts request handling and denies service to legitimate users. … |
| Remediation | Vendor-released patch: engine.io 6.6.7 - upgrade the engine.io dependency (directly or transitively via socket.io) to 6.6.7 or later, per the release at https://github.com/socketio/socket.io/releases/tag/engine.io@6.6.7 and advisory GHSA-gr94-w7qr-f4j3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit production and staging environments to identify Engine.IO instances running versions 6.5.0-6.6.6 and verify WebTransport configuration. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42312