CVE-2026-59725 PUBLISHED

Socket.IO: Engine.IO Polling Transport Connection Exhaustion

Assigner: GitHub_M
Reserved: 06.07.2026 Published: 08.07.2026 Updated: 08.07.2026

Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated attacker to exhaust server-side connections and sockets. This issue is fixed in version 6.6.7.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Vendor socketio
Product socket.io
Versions
  • Version >= 4.1.0, < 6.6.7 is affected

References

Problem Types

  • CWE-404: Improper Resource Shutdown or Release CWE