Threat Advisory

Python-engineio Vulnerability Enables Unbounded Thread Creation Denial

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the python-engineio library (pip package) for versions up to 4.13.1. The flaws enable denial‑of‑service conditions through unbounded thread creation and failure to enforce maximum payload size, allowing an attacker to exhaust server resources. Exploitation requires a remote client that can initiate connections or send crafted POST or WebSocket messages, and works against synchronous and asynchronous deployments. The resulting impact includes service interruption, degraded performance, and potential loss of availability for applications that rely on real‑time communication, posing significant operational and reputational risk for businesses.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the python-engineio library (pip package) for versions up to 4.13.1. The flaws enable denial‑of‑service conditions through unbounded thread creation and failure to enforce maximum payload size, allowing an attacker to exhaust server resources. Exploitation requires a remote client that can initiate connections or send crafted POST or WebSocket messages, and works against synchronous and asynchronous deployments. The resulting impact includes service interruption, degraded performance, and potential loss of availability for applications that rely on real‑time communication, posing significant operational and reputational risk for businesses.[emaillocker id="1283"]

  • CVE-2026-48802 with a CVSS score of 7.5 – A thread‑allocation flaw in python‑engineio allows an attacker to trigger the server’s heartbeat mechanism repeatedly, spawning unnecessary background threads; exploitation requires only establishing a connection and sending crafted PONG packets, and can be performed remotely without authentication.
  • CVE-2026-48809 with a CVSS score of 7.5 – Improper payload size validation lets an attacker send oversized POST requests (ASGI long‑polling) or large WebSocket messages (Aiohttp) that are loaded into memory before checks, causing excessive memory allocation; the attack is feasible remotely against any unpatched server handling these transports.

These vulnerabilities collectively expose python-engineio deployments to easy denial‑of‑service attacks that can be launched from the internet. If exploited, services that depend on real‑time messaging may become unavailable, leading to disrupted business processes, lost revenue, and damage to customer trust. Prompt attention is required to mitigate the risk.

RECOMMENDATION:

  • We recommend you to update python-engineio to version 4.13.2.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-cgwc-pv48-fhj5
https://\https://github.com/advisories/GHSA-m9gh-vj53-gvh9

[/emaillocker]
crossmenu