
PEACH
Un cadre d’isolation des locataires
CVE-2026-48804 is a denial-of-service vulnerability in the python-socketio library caused by unbounded accumulation of binary message attachments in server memory. The vulnerability affects all versions up to and including 5.16.1 and was originally published by the maintainer on May 23, 2026, with the advisory added to the GitHub Advisory Database on June 26, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Repo Advisory).
The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The python-socketio server holds binary EVENT and ACK messages in memory while awaiting their associated binary attachments; once all attachments arrive, the message is processed. An unauthenticated attacker can exploit this by sending a binary message and deliberately withholding one or more of its attachments, causing the server to retain the partial message and any received attachments indefinitely, consuming increasing amounts of memory. No authentication or user interaction is required, and the attack is executable remotely over the network with low complexity (GitHub Advisory, Repo Advisory).
Successful exploitation results in progressive memory exhaustion on the server hosting python-socketio, ultimately causing a denial-of-service condition. There is no impact on confidentiality or data integrity — the vulnerability is purely an availability issue. A single attacker or a small number of connections repeatedly submitting incomplete binary messages could degrade or crash the server, affecting all users of the application (GitHub Advisory).
python-socketio version 5.16.1 or earlier, for example by scanning for Socket.IO handshake endpoints (e.g., /socket.io/) using tools like Shodan or direct HTTP probing.EVENT or ACK packet that declares multiple binary attachments (e.g., 5-2["event", {"_placeholder":true,"num":0}, {"_placeholder":true,"num":1}]) but intentionally send only a subset of the declared attachments.python-socketio server process (observable via top, htop, or application performance monitoring); eventual out-of-memory errors or process crashes in system logs.Upgrade python-socketio to version 5.16.2 or later, which addresses the issue by restricting binary packet acceptance to authenticated clients only and by cleaning up any partial binary messages held in memory when a client disconnects. No configuration-based workaround is documented; upgrading is the recommended and only confirmed remediation. Operators should also consider enforcing authentication on their Socket.IO endpoints as a defense-in-depth measure (GitHub Advisory, Repo Advisory).
The vulnerability was reported by security researcher mauriceng98 and the advisory was published by the library maintainer Miguel Grinberg on May 23, 2026. No notable broader media coverage, vendor statements beyond the advisory, or significant social media discussion has been identified at this time (Repo Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."