python-engineio has possible denial of service due to maximum payload size sometimes not being enforced
High severity
GitHub Reviewed
Published
May 23, 2026
in
miguelgrinberg/python-engineio
•
Updated Jun 26, 2026
Description
Published to the GitHub Advisory Database
Jun 26, 2026
Reviewed
Jun 26, 2026
Last updated
Jun 26, 2026
Impact
There are two specific configurations of the python-engineio server in which the size of incoming messages is not checked before the messages are loaded into memory. An attacker can take advantage of these to cause unnecessary memory allocations in the python-engineio server. The two cases are:
Patches
Version 4.13.2 addresses this issue as follows:
References