python · python-engineioCritical
python-engineio: Unchecked message size in ASGI long polling and Aiohttp WebSocket
In python-engineio, incoming message size is not checked before loading into memory for POST requests with ASGI long polling transport and WebSocket messages with Aiohttp WebSocket transport.
What changed
In python-engineio, incoming message size is not checked before loading into memory for POST requests with ASGI long polling transport and WebSocket messages with Aiohttp WebSocket transport. Version 4.13.2 patches this by discarding oversized or unauthenticated requests in ASGI and configuring max payload size in Aiohttp WebSocket layer.
Who it affects
Users of python-engineio server with ASGI long polling transport or Aiohttp WebSocket transport.
What to do today
Upgrade python-engineio to version 4.13.2 or later.
The trail
Collected→
Audited→
Written→
Published