Skip to main content

Engine.IO CVE-2026-59724

| EUVDEUVD-2026-42312 HIGH
Improper Input Validation (CWE-20)
2026-07-08 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable, low-complexity crafted session ID, no auth or interaction, causing only a crash - availability-only A:H with C:N/I:N; the WebTransport prerequisite is a config condition, not a CVSS base metric.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 17:01 EUVD
Analysis Generated
Jul 08, 2026 - 16:28 vuln.today

DescriptionCVE.org

Socket.IO enables bidirectional and low-latency communication for every platform. From 6.5.0 before 6.6.7, Engine.IO servers with WebTransport enabled can resolve a crafted session ID such as __proto__ through an inherited property of the clients object during WebTransport upgrade handling, causing a TypeError and denial of service. This issue is fixed in version 6.6.7.

AnalysisAI

Denial of service in Engine.IO 6.5.0 through 6.6.6 (the transport layer beneath Socket.IO) lets remote unauthenticated attackers crash the server by supplying a crafted session ID like '__proto__' during a WebTransport upgrade. Because the session ID is looked up against the internal clients object without guarding inherited properties, the resolved value is a prototype function rather than a client, triggering a TypeError that terminates request handling. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach WebTransport-enabled Engine.IO server
Delivery
Initiate WebTransport upgrade with session ID '__proto__'
Exploit
Server resolves inherited property from clients object
Execution
Unhandled TypeError thrown
Impact
Server request handling crashes (denial of service)

Vulnerability AssessmentAI

Exploitation The Engine.IO server must have WebTransport enabled - this is the exact, non-default configuration prerequisite; servers using only polling or WebSocket transports are not exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H yields 7.5 (High) and is internally consistent: network-reachable, low-complexity, unauthenticated, availability-only impact with no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker points a WebTransport-capable client at an Internet-exposed Engine.IO server (6.5.0-6.6.6) that has WebTransport enabled and initiates an upgrade using a session ID of '__proto__'. The server indexes its clients object with that key, receives an inherited function instead of a client object, and throws an unhandled TypeError that disrupts request handling and denies service to legitimate users. …
Remediation Vendor-released patch: engine.io 6.6.7 - upgrade the engine.io dependency (directly or transitively via socket.io) to 6.6.7 or later, per the release at https://github.com/socketio/socket.io/releases/tag/engine.io@6.6.7 and advisory GHSA-gr94-w7qr-f4j3. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit production and staging environments to identify Engine.IO instances running versions 6.5.0-6.6.6 and verify WebTransport configuration. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59724 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy