GHSA-M9GH-VJ53-GVH9

Vulnerability from github – Published: 2026-06-26 20:48 – Updated: 2026-06-26 20:48
VLAI
Summary
python-engineio has possible denial of service due to maximum payload size sometimes not being enforced
Details

Impact

There are two specific configurations of the python-engineio server in which the size of incoming messages is not checked before the messages are loaded into memory. An attacker can take advantage of these to cause unnecessary memory allocations in the python-engineio server. The two cases are:

  • POST requests, when using ASGI with the long polling transport
  • WebSocket messages, when using Aiohttp with the WebSocket transport

Patches

Version 4.13.2 addresses this issue as follows:

  • ASGI severs now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded.
  • Aiohttp servers configure the maximum payload size in the underlying WebSocket layer from Aiohttp, so that large messages are discarded by Aiohttp before they are delivered to python-engineio.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.13.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "python-engineio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48809"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T20:48:18Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nThere are two specific configurations of the python-engineio server in which the size of incoming messages is not checked before the messages are loaded into memory. An attacker can take advantage of these to cause unnecessary memory allocations in the python-engineio server. The two cases are:\n\n- POST requests, when using ASGI with the long polling transport\n- WebSocket messages, when using Aiohttp with the WebSocket transport\n\n### Patches\nVersion 4.13.2 addresses this issue as follows:\n\n- ASGI severs now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded.\n- Aiohttp servers configure the maximum payload size in the underlying WebSocket layer from Aiohttp, so that large messages are discarded by Aiohttp before they are delivered to python-engineio.",
  "id": "GHSA-m9gh-vj53-gvh9",
  "modified": "2026-06-26T20:48:18Z",
  "published": "2026-06-26T20:48:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/miguelgrinberg/python-engineio/security/advisories/GHSA-m9gh-vj53-gvh9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/miguelgrinberg/python-engineio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "python-engineio has possible denial of service due to maximum payload size sometimes not being enforced"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…