Socket.IO Engine.IO Protocol Vulnerability in Versions Prior to 6.6.7
CVE-2026-59725

7.5HIGH

Key Information:

Vendor

Socketio

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59725?

The Engine.IO protocol in Socket.IO, which facilitates bidirectional communication across various platforms, is susceptible to a flaw present in versions up to 6.6.7. This vulnerability manifests when the protocol fails to adequately close the HTTP response for invalid binary POST requests that utilize the Content-Type: application/octet-stream. An unauthenticated attacker could exploit this issue to exhaust server-side connections and sockets, potentially leading to denial of service for legitimate users. The vulnerability has been addressed in version 6.6.7 with appropriate fixes.

Affected Version(s)

socket.io >= 4.1.0, < 6.6.7

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.