Skip to main content

Socket.IO EUVDEUVD-2026-42313

| CVE-2026-59725 HIGH
Improper Resource Shutdown or Release (CWE-404)
2026-07-08 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote, unauthenticated, low-complexity POST to the polling endpoint with no interaction; impact is pure resource-exhaustion DoS, so A:H and C:N/I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 17:01 EUVD
Analysis Generated
Jul 08, 2026 - 16:30 vuln.today

DescriptionCVE.org

Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated attacker to exhaust server-side connections and sockets. This issue is fixed in version 6.6.7.

AnalysisAI

Denial of service in Socket.IO (Engine.IO server) from 4.1.0 before 6.6.7 lets a remote unauthenticated attacker exhaust server-side connections and sockets by sending invalid binary POST requests. When the Engine.IO v4 polling transport receives a malformed binary payload with Content-Type: application/octet-stream, it fails to close the HTTP response, leaking the underlying socket until connection and file-descriptor limits are reached. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Socket.IO polling endpoint
Delivery
Send invalid binary POST (application/octet-stream)
Exploit
Server fails to close HTTP response
Execution
Leak socket and connection slot
Persist
Repeat to exhaust sockets/FDs
Impact
Legitimate clients denied service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target run the Engine.IO protocol v4 HTTP long-polling transport (the default polling fallback in affected socket.io/engine.io versions 4.1.0-6.6.6) and accept client POST requests; the specific trigger is an invalid binary POST body sent with Content-Type: application/octet-stream, which the server fails to close. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) is internally consistent with the description: network-reachable, low-complexity, unauthenticated, no user interaction, and impact limited purely to availability (C:N/I:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-facing Socket.IO service that accepts the Engine.IO v4 HTTP polling transport and scripts a loop that repeatedly POSTs malformed binary bodies with Content-Type: application/octet-stream. Each request leaves an HTTP response and its socket open, so within minutes the server runs out of available connections and file descriptors and stops serving legitimate users. …
Remediation Vendor-released patch: engine.io 6.6.7 - upgrade the engine.io dependency (directly or transitively via socket.io) to 6.6.7 or later, per release https://github.com/socketio/socket.io/releases/tag/engine.io@6.6.7 and advisory GHSA-r635-g3xr-vw7x. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct inventory of all systems running Socket.IO/Engine.IO and identify affected versions (4.1.0 through 6.6.6). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy