python · python-engineioCritical
python-engineio: Heartbeat DoS Vulnerability Fixed in 4.13.2
In python-engineio, the heartbeat mechanism could be exploited to create unnecessary background threads (or async tasks) per client, leading to potential denial of service.
What changed
In python-engineio, the heartbeat mechanism could be exploited to create unnecessary background threads (or async tasks) per client, leading to potential denial of service. Version 4.13.2 fixes this by only launching the heartbeat thread after client authentication and ensuring only one heartbeat thread per client exists, discarding out-of-sequence PONG packets.
Who it affects
Users of python-engineio, especially those running synchronous servers, as they are more susceptible to thread-based denial of service.
What to do today
Upgrade python-engineio to version 4.13.2 or later.
The trail
Collected→
Audited→
Written→
Published