Socket Io
Monthly
Denial of service in Socket.IO (Engine.IO server) from 4.1.0 before 6.6.7 lets a remote unauthenticated attacker exhaust server-side connections and sockets by sending invalid binary POST requests. When the Engine.IO v4 polling transport receives a malformed binary payload with Content-Type: application/octet-stream, it fails to close the HTTP response, leaking the underlying socket until connection and file-descriptor limits are reached. No public exploit identified at time of analysis; the flaw is fixed in engine.io 6.6.7.
Denial of service in Engine.IO 6.5.0 through 6.6.6 (the transport layer beneath Socket.IO) lets remote unauthenticated attackers crash the server by supplying a crafted session ID like '__proto__' during a WebTransport upgrade. Because the session ID is looked up against the internal clients object without guarding inherited properties, the resolved value is a prototype function rather than a client, triggering a TypeError that terminates request handling. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trigger is trivial to reproduce on any server that has WebTransport enabled.
Denial of service in Socket.IO (Engine.IO server) from 4.1.0 before 6.6.7 lets a remote unauthenticated attacker exhaust server-side connections and sockets by sending invalid binary POST requests. When the Engine.IO v4 polling transport receives a malformed binary payload with Content-Type: application/octet-stream, it fails to close the HTTP response, leaking the underlying socket until connection and file-descriptor limits are reached. No public exploit identified at time of analysis; the flaw is fixed in engine.io 6.6.7.
Denial of service in Engine.IO 6.5.0 through 6.6.6 (the transport layer beneath Socket.IO) lets remote unauthenticated attackers crash the server by supplying a crafted session ID like '__proto__' during a WebTransport upgrade. Because the session ID is looked up against the internal clients object without guarding inherited properties, the resolved value is a prototype function rather than a client, triggering a TypeError that terminates request handling. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trigger is trivial to reproduce on any server that has WebTransport enabled.