CVE-2026-59725 in Socket.IO
Summary
by MITRE • 07/08/2026
Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated attacker to exhaust server-side connections and sockets. This issue is fixed in version 6.6.7.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability described affects Socket.IO versions 4.1.0 through 6.6.6, specifically impacting the Engine.IO protocol v4 polling transport mechanism that facilitates bidirectional communication across various platforms. This flaw represents a critical denial-of-service condition that exploits improper handling of HTTP responses during invalid binary POST requests. The issue manifests when the system receives malformed requests with Content-Type: application/octet-stream where the response closure mechanism fails, creating persistent connection states that cannot be properly terminated.
The technical root cause lies in the inadequate validation and resource management within the polling transport implementation. When processing invalid binary POST requests, the system fails to properly close HTTP response channels, leading to resource leakage and connection exhaustion. This behavior creates a state where server resources remain occupied indefinitely, preventing new legitimate connections from being established and effectively rendering the service unavailable to authorized users. The vulnerability operates at the protocol level within the Engine.IO transport layer, specifically affecting how binary data is handled during polling operations.
From an operational perspective, this vulnerability enables unauthenticated attackers to perform resource exhaustion attacks against Socket.IO servers without requiring any authentication credentials or privileged access. The attack vector is particularly dangerous because it can be executed by anyone capable of sending malformed HTTP requests to the target server, making it accessible to a broad range of threat actors. The impact extends beyond simple service disruption as it can cause cascading failures in applications relying on real-time communication features, potentially affecting critical infrastructure or user-facing services.
The fix implemented in version 6.6.7 addresses this issue by ensuring proper HTTP response closure mechanisms are enforced during invalid binary POST request processing. This remediation aligns with security best practices for resource management and connection handling within web protocols. Organizations should prioritize upgrading to version 6.6.7 or later to mitigate this vulnerability, as the fix directly addresses the improper resource cleanup that enabled the denial-of-service condition.
This vulnerability classifies under CWE-400, specifically related to resource exhaustion due to improper response handling, and aligns with ATT&CK technique T1499.004 for network denial of service attacks. The attack pattern demonstrates characteristics consistent with resource-based attacks targeting connection management within real-time communication frameworks, emphasizing the importance of robust input validation and proper resource cleanup in high-availability systems.