Skip to main content

Socket Io

2 CVEs product

Monthly

CVE-2026-59725 HIGH PATCH This Week

Denial of service in Socket.IO (Engine.IO server) from 4.1.0 before 6.6.7 lets a remote unauthenticated attacker exhaust server-side connections and sockets by sending invalid binary POST requests. When the Engine.IO v4 polling transport receives a malformed binary payload with Content-Type: application/octet-stream, it fails to close the HTTP response, leaking the underlying socket until connection and file-descriptor limits are reached. No public exploit identified at time of analysis; the flaw is fixed in engine.io 6.6.7.

Information Disclosure Socket Io
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59724 HIGH PATCH This Week

Denial of service in Engine.IO 6.5.0 through 6.6.6 (the transport layer beneath Socket.IO) lets remote unauthenticated attackers crash the server by supplying a crafted session ID like '__proto__' during a WebTransport upgrade. Because the session ID is looked up against the internal clients object without guarding inherited properties, the resolved value is a prototype function rather than a client, triggering a TypeError that terminates request handling. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trigger is trivial to reproduce on any server that has WebTransport enabled.

Denial Of Service Socket Io
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Socket.IO (Engine.IO server) from 4.1.0 before 6.6.7 lets a remote unauthenticated attacker exhaust server-side connections and sockets by sending invalid binary POST requests. When the Engine.IO v4 polling transport receives a malformed binary payload with Content-Type: application/octet-stream, it fails to close the HTTP response, leaking the underlying socket until connection and file-descriptor limits are reached. No public exploit identified at time of analysis; the flaw is fixed in engine.io 6.6.7.

Information Disclosure Socket Io
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Engine.IO 6.5.0 through 6.6.6 (the transport layer beneath Socket.IO) lets remote unauthenticated attackers crash the server by supplying a crafted session ID like '__proto__' during a WebTransport upgrade. Because the session ID is looked up against the internal clients object without guarding inherited properties, the resolved value is a prototype function rather than a client, triggering a TypeError that terminates request handling. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trigger is trivial to reproduce on any server that has WebTransport enabled.

Denial Of Service Socket Io
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy