Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote, unauthenticated, low-complexity POST to the polling endpoint with no interaction; impact is pure resource-exhaustion DoS, so A:H and C:N/I:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated attacker to exhaust server-side connections and sockets. This issue is fixed in version 6.6.7.
AnalysisAI
Denial of service in Socket.IO (Engine.IO server) from 4.1.0 before 6.6.7 lets a remote unauthenticated attacker exhaust server-side connections and sockets by sending invalid binary POST requests. When the Engine.IO v4 polling transport receives a malformed binary payload with Content-Type: application/octet-stream, it fails to close the HTTP response, leaking the underlying socket until connection and file-descriptor limits are reached. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target run the Engine.IO protocol v4 HTTP long-polling transport (the default polling fallback in affected socket.io/engine.io versions 4.1.0-6.6.6) and accept client POST requests; the specific trigger is an invalid binary POST body sent with Content-Type: application/octet-stream, which the server fails to close. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) is internally consistent with the description: network-reachable, low-complexity, unauthenticated, no user interaction, and impact limited purely to availability (C:N/I:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker locates an internet-facing Socket.IO service that accepts the Engine.IO v4 HTTP polling transport and scripts a loop that repeatedly POSTs malformed binary bodies with Content-Type: application/octet-stream. Each request leaves an HTTP response and its socket open, so within minutes the server runs out of available connections and file descriptors and stops serving legitimate users. … |
| Remediation | Vendor-released patch: engine.io 6.6.7 - upgrade the engine.io dependency (directly or transitively via socket.io) to 6.6.7 or later, per release https://github.com/socketio/socket.io/releases/tag/engine.io@6.6.7 and advisory GHSA-r635-g3xr-vw7x. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct inventory of all systems running Socket.IO/Engine.IO and identify affected versions (4.1.0 through 6.6.6). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-404 – Improper Resource Shutdown or Release
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42313