CVE-2026-59725
Received Received - Intake

Engine.IO Protocol v4 Polling Connection Exhaustion in Socket.IO

Vulnerability report for CVE-2026-59725, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated attacker to exhaust server-side connections and sockets. This issue is fixed in version 6.6.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
socket.io engine.io From 4.1.0 (inc) to 6.6.7 (exc)
socket.io engine.io 6.6.7
socket.io socket.io *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing an unauthenticated remote attacker to exhaust your server's resources, such as HTTP connections and sockets, through repeated invalid binary POST requests.

As a result, your server may become unavailable or unresponsive, leading to a denial of service condition.

The attack requires no privileges or user interaction and can be performed remotely over the network.

Executive Summary

CVE-2026-59725 is a high-severity vulnerability in the Engine.IO library used by Socket.IO, affecting versions from 4.1.0 up to before 6.6.7. The issue occurs because the Engine.IO protocol v4 polling transport does not properly close HTTP responses for invalid binary POST requests with the Content-Type set to application/octet-stream.

An unauthenticated attacker can exploit this by sending crafted invalid binary POST requests, causing the server to report a transport error but fail to close the HTTP connection properly. This leaves the connection open and consumes server-side sockets or resources.

Repeated exploitation can exhaust server resources such as HTTP connections, sockets, or file descriptors, potentially leading to denial of service.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or excessive Engine.IO polling POST requests with the Content-Type header set to application/octet-stream. Such requests cause the server to report transport errors but fail to close the HTTP response properly, leaving connections open.

To detect exploitation attempts, you can look for repeated invalid binary POST requests to the Engine.IO polling endpoint and check for a high number of open or hanging HTTP connections or sockets related to these requests.

Suggested commands include using network monitoring or packet capture tools like tcpdump or Wireshark to filter for POST requests with Content-Type: application/octet-stream targeting the Engine.IO polling endpoint.

  • tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST' -A 10 | grep 'Content-Type: application/octet-stream'
  • Use netstat or ss to check for many open or hanging connections on the server related to the service port (e.g., netstat -anp | grep <service_port>)
  • Check server logs for repeated transport errors or abnormal connection counts related to Engine.IO polling requests.
Mitigation Strategies

The primary and recommended mitigation is to upgrade Engine.IO to version 6.6.7 or later, or update Socket.IO if using it through the monorepo, as this version contains the fix that properly closes invalid binary polling POST requests.

If immediate upgrade is not possible, temporary mitigations include:

  • Blocking or rejecting polling POST requests with the Content-Type header set to application/octet-stream.
  • Disabling HTTP long-polling transport to prevent exploitation via polling requests.
  • Enforcing strict timeouts on HTTP connections to limit resource exhaustion.
  • Applying rate limits on requests to the Engine.IO polling endpoint.
  • Restricting access to the Engine.IO polling endpoint to trusted clients or networks.
Compliance Impact

The vulnerability allows an unauthenticated attacker to exhaust server-side connections and sockets, leading to a denial of service (DoS) condition. This impacts the availability of the affected system.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the denial of service caused by resource exhaustion could affect the availability requirement of these regulations.

Standards like GDPR and HIPAA require ensuring the availability of systems and data. A successful exploitation of this vulnerability could disrupt service availability, potentially leading to non-compliance with these regulations.

No direct information is provided about data confidentiality or integrity impacts, so the primary compliance concern relates to availability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59725. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart