CVE-2026-59724 in Socket.IOinfo

Summary

by MITRE • 07/08/2026

Socket.IO enables bidirectional and low-latency communication for every platform. From 6.5.0 before 6.6.7, Engine.IO servers with WebTransport enabled can resolve a crafted session ID such as __proto__ through an inherited property of the clients object during WebTransport upgrade handling, causing a TypeError and denial of service. This issue is fixed in version 6.6.7.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability affects Socket.IO versions 6.5.0 through 6.6.6 where Engine.IO servers with WebTransport functionality enabled are susceptible to a specific type of denial of service attack. This flaw resides in how the server handles session ID resolution during WebTransport upgrade procedures, creating an exploitable condition that can be leveraged by malicious actors to disrupt service availability.

The technical root cause stems from improper handling of crafted session identifiers within the clients object structure during WebTransport protocol negotiation. When a client attempts to establish a WebTransport connection using a specially crafted session ID such as _proto_, the server's handling mechanism inadvertently accesses inherited properties rather than properly validating the session identifier against expected patterns. This particular vulnerability leverages JavaScript's prototype chain resolution behavior where _proto_ is recognized as a special property name that can be used to manipulate object inheritance.

The operational impact of this vulnerability manifests as a TypeError exception within the server process, leading to immediate service disruption and denial of service conditions for legitimate users attempting to establish WebTransport connections. Attackers can repeatedly exploit this condition to cause repeated service interruptions without requiring authentication or complex attack vectors. The vulnerability specifically targets the upgrade handling phase of WebTransport connections, making it particularly dangerous as it can be triggered during normal connection establishment processes.

This issue represents a classic example of prototype pollution in JavaScript applications and aligns with CWE-471, which addresses the improper handling of special property names that can lead to unexpected behavior in object-oriented programming environments. The vulnerability also maps to ATT&CK technique T1499.004, specifically targeting network denial of service through exploitation of application-level weaknesses. The flaw demonstrates how seemingly benign configuration options like WebTransport support can introduce security implications when not properly validated against known attack patterns.

Mitigation strategies should focus on upgrading to Socket.IO version 6.6.7 or later where the vulnerability has been patched. Organizations should also implement proper input validation for session identifiers during connection upgrade procedures, ensuring that special property names like _proto_ are rejected as invalid session identifiers. Additional defensive measures include monitoring for unusual patterns in WebTransport upgrade requests and implementing rate limiting on connection attempts to prevent abuse of this vulnerability. The fix implemented in version 6.6.7 properly validates session identifiers against expected patterns and prevents inheritance chain manipulation during the WebTransport upgrade process, resolving the TypeError condition that previously caused service disruption.

Responsible

GitHub M

Reservation

07/06/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!