Socket.IO Engine.IO Protocol Vulnerability in Versions Prior to 6.6.7
CVE-2026-59725
7.5HIGH
What is CVE-2026-59725?
The Engine.IO protocol in Socket.IO, which facilitates bidirectional communication across various platforms, is susceptible to a flaw present in versions up to 6.6.7. This vulnerability manifests when the protocol fails to adequately close the HTTP response for invalid binary POST requests that utilize the Content-Type: application/octet-stream. An unauthenticated attacker could exploit this issue to exhaust server-side connections and sockets, potentially leading to denial of service for legitimate users. The vulnerability has been addressed in version 6.6.7 with appropriate fixes.
Affected Version(s)
socket.io >= 4.1.0, < 6.6.7
