CVE-2026-48802
Python Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-48802 is an unbound thread allocation vulnerability in the python-engineio library that allows unauthenticated remote attackers to cause a denial of service by exhausting server threads. It affects all versions up to and including 4.13.1, with the fix introduced in version 4.13.2. The vulnerability was first published by the maintainer on May 23, 2026, and added to the GitHub Advisory Database on June 26, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (Github Advisory, Security Advisory).

Détails techniques

The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling) in the heartbeat mechanism of python-engineio. The server spawns a new background thread each time a new connection is received and again each time a client sends a PONG packet, with no enforcement of a single active heartbeat thread per client and no authentication check before thread creation. An attacker can exploit this by repeatedly sending PONG packets or initiating connections without completing authentication, causing unbounded thread proliferation. This issue primarily affects synchronous server deployments; asynchronous servers use lightweight background tasks rather than OS threads, making them less susceptible to resource exhaustion, though the fix was applied to both modes (Github Advisory, Security Advisory).

Impact

Successful exploitation results in thread exhaustion on the affected server, leading to denial of service — the server becomes unable to handle legitimate connections as system resources are consumed by unnecessary heartbeat threads. There is no impact on confidentiality or data integrity; the sole consequence is high availability impact. Synchronous deployments are at greatest risk, as OS-level threads are a finite and expensive resource compared to the async tasks used in asynchronous server configurations (Github Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing services using python-engineio in synchronous mode (e.g., Flask-SocketIO applications), which can be fingerprinted via Engine.IO handshake responses.
  2. Initiate connections: Open a large number of WebSocket or HTTP long-poll connections to the target Engine.IO endpoint (e.g., /socket.io/?EIO=4&transport=websocket) without completing authentication, triggering a heartbeat thread per connection.
  3. Send out-of-sequence PONG packets: For each established connection, repeatedly send PONG packets to the server. Each PONG causes the server to spawn an additional heartbeat background thread without checking whether one is already active.
  4. Exhaust server threads: Continue flooding the server with connections and PONG packets until the OS thread limit is reached, causing the server to become unresponsive to legitimate clients (Github Advisory, Security Advisory).

Indicateurs de compromis

  • Network: Unusually high volume of WebSocket or HTTP long-poll connections to the Engine.IO endpoint from one or more source IPs; repeated PONG packets sent without corresponding PING from the server.
  • Process: Rapidly increasing number of Python threads in the server process (observable via ps, top, or /proc/<pid>/status); server process memory and CPU usage climbing without a corresponding increase in legitimate traffic.
  • Logs: Engine.IO or application logs showing a large number of simultaneous connection events or heartbeat thread launches; connection attempts that do not complete the authentication handshake.

Atténuation et solutions de contournement

Upgrade python-engineio to version 4.13.2 or later, which restricts heartbeat thread creation to authenticated clients and enforces a single active heartbeat thread per client, discarding out-of-sequence PONG packets. No configuration-based workaround is documented; upgrading is the recommended and only confirmed remediation. Operators using synchronous server deployments should prioritize this update given the higher severity of thread exhaustion in that context (Github Advisory, Security Advisory).

Réactions de la communauté

The vulnerability was reported by community researcher mauriceng98 and disclosed by maintainer Miguel Grinberg via a GitHub Security Advisory on May 23, 2026. A Reddit post in r/Network referenced the vulnerability as part of a threat intelligence roundup on May 26, 2026. No broader media coverage or notable vendor statements beyond the official advisory have been identified (Github Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Python Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-48804HIGH7.5
  • Python logoPython
  • python-socketio
NonOuiJun 26, 2026
CVE-2026-48802HIGH7.5
  • Python logoPython
  • python-engineio
NonOuiJun 26, 2026
GHSA-75mw-h36v-2jv7MEDIUM6.1
  • Python logoPython
  • dosage
NonOuiJun 26, 2026
CVE-2026-48813LOWN/A
  • Python logoPython
  • flawfinder
NonOuiJun 26, 2026
GHSA-98x5-vq43-vc5pCRITICALN/A
  • Python logoPython
  • semantic-router
NonOuiJun 26, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités