Denial of Service Vulnerability in Engine.IO Servers by Socket.IO
CVE-2026-59724
7.5HIGH
What is CVE-2026-59724?
Socket.IO enables seamless bidirectional communication for various platforms. A vulnerability in Engine.IO versions 6.5.0 to 6.6.6 with WebTransport enabled allows the exploitation of crafted session IDs via inherited properties in the client object during WebTransport upgrade handling. This can trigger a TypeError, leading to a denial of service condition. Users are encouraged to upgrade to version 6.6.7, where this issue has been resolved.
Affected Version(s)
socket.io >= 6.5.0, < 6.6.7
