CVE-2026-59724
Received Received - Intake

Socket.IO Engine.IO WebTransport TypeError DoS

Vulnerability report for CVE-2026-59724, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Socket.IO enables bidirectional and low-latency communication for every platform. From 6.5.0 before 6.6.7, Engine.IO servers with WebTransport enabled can resolve a crafted session ID such as __proto__ through an inherited property of the clients object during WebTransport upgrade handling, causing a TypeError and denial of service. This issue is fixed in version 6.6.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
socket.io engine.io From 6.5.0 (inc) to 6.6.7 (exc)
socket.io engine.io 6.6.7
socket.io socket.io 6.6.7

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Engine.IO servers with WebTransport enabled in Socket.IO versions from 6.5.0 before 6.6.7. A malicious unauthenticated client can send a specially crafted WebTransport upgrade request containing a session ID like "__proto__". Due to improper input validation, the server incorrectly resolves this session ID through an inherited property of the clients object instead of a valid client. This causes a TypeError during the WebTransport upgrade handling, leading to an unhandled Promise rejection that crashes the Node.js process running the server.

The root cause is that the session ID lookup does not verify that the key is an own property of the clients object, allowing prototype pollution style attacks. The issue is fixed in Engine.IO version 6.6.7 by adding a helper function to safely check session IDs and reject invalid or malicious ones.

Compliance Impact

This vulnerability causes a denial of service (DoS) by crashing the Engine.IO server when handling crafted WebTransport upgrade requests with malicious session IDs. It does not directly impact confidentiality or integrity of data, as it has no effect on data leakage or unauthorized access.

However, the availability impact (high CVSS score for availability) could affect compliance with standards that require high availability and reliability of services, such as HIPAA's requirements for system availability and GDPR's principles of data processing continuity.

Organizations relying on Engine.IO with WebTransport enabled must address this vulnerability to maintain compliance with such regulations by ensuring their services are not vulnerable to denial of service attacks that could disrupt operations.

Impact Analysis

Successful exploitation of this vulnerability allows an unauthenticated remote attacker to crash the server by triggering a denial of service (DoS) condition. The server process terminates due to an unhandled exception, which can cause service downtime.

If the server is run under a process supervisor, repeated exploitation attempts may cause crash loops, further impacting availability and reliability of the service.

Only deployments with WebTransport explicitly enabled are at risk, as WebTransport is not enabled by default.

Detection Guidance

This vulnerability can be detected by monitoring for WebTransport upgrade requests containing suspicious or crafted session IDs such as "__proto__" that cause the Engine.IO server to throw a TypeError and potentially crash.

Since the issue arises during WebTransport upgrade handling, detection involves checking server logs for unhandled Promise rejections or crashes triggered by invalid session IDs.

There are no specific commands provided in the resources, but you can use network monitoring tools or log analysis to identify WebTransport upgrade requests with unusual session IDs.

Additionally, you can test the server by sending crafted WebTransport upgrade requests with session IDs like "__proto__" to see if the server closes the connection or crashes, as described in the fix tests.

Mitigation Strategies

The primary mitigation is to upgrade Engine.IO to version 6.6.7 or later, where the vulnerability is fixed.

If upgrading immediately is not possible, you can temporarily mitigate the issue by disabling WebTransport support by excluding it from the enabled transports list.

Another mitigation is to restrict access to WebTransport endpoints at the reverse proxy or HTTP/3 layer to prevent malicious clients from reaching the vulnerable server.

Running the service under a process supervisor can provide partial availability mitigation by restarting the server after a crash, but it does not prevent repeated crash attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59724. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart