CVE-2026-48804
Python Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-48804 is a denial-of-service vulnerability in the python-socketio library caused by unbounded accumulation of binary message attachments in server memory. The vulnerability affects all versions up to and including 5.16.1 and was originally published by the maintainer on May 23, 2026, with the advisory added to the GitHub Advisory Database on June 26, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Repo Advisory).

Détails techniques

The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The python-socketio server holds binary EVENT and ACK messages in memory while awaiting their associated binary attachments; once all attachments arrive, the message is processed. An unauthenticated attacker can exploit this by sending a binary message and deliberately withholding one or more of its attachments, causing the server to retain the partial message and any received attachments indefinitely, consuming increasing amounts of memory. No authentication or user interaction is required, and the attack is executable remotely over the network with low complexity (GitHub Advisory, Repo Advisory).

Impact

Successful exploitation results in progressive memory exhaustion on the server hosting python-socketio, ultimately causing a denial-of-service condition. There is no impact on confidentiality or data integrity — the vulnerability is purely an availability issue. A single attacker or a small number of connections repeatedly submitting incomplete binary messages could degrade or crash the server, affecting all users of the application (GitHub Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing services running python-socketio version 5.16.1 or earlier, for example by scanning for Socket.IO handshake endpoints (e.g., /socket.io/) using tools like Shodan or direct HTTP probing.
  2. Establish a Socket.IO connection: Connect to the target server using a Socket.IO client library without authenticating (no credentials required).
  3. Send an incomplete binary message: Transmit a binary EVENT or ACK packet that declares multiple binary attachments (e.g., 5-2["event", {"_placeholder":true,"num":0}, {"_placeholder":true,"num":1}]) but intentionally send only a subset of the declared attachments.
  4. Repeat to exhaust memory: Open multiple connections and repeat the above step in a loop, causing the server to accumulate partial binary messages and their received attachments in memory without releasing them.
  5. Achieve denial of service: As server memory is exhausted, the application becomes unresponsive or crashes, denying service to legitimate users (GitHub Advisory, Repo Advisory).

Indicateurs de compromis

  • Network: High volume of Socket.IO connections from one or more source IPs that establish connections and send binary packets but never complete the attachment sequence; connections that remain open for unusually long durations without normal traffic patterns.
  • Logs: Server logs showing repeated binary packet receipt events without corresponding completion events; Socket.IO or application-level warnings about pending binary attachments accumulating.
  • Process/System: Steadily increasing memory consumption by the python-socketio server process (observable via top, htop, or application performance monitoring); eventual out-of-memory errors or process crashes in system logs.

Atténuation et solutions de contournement

Upgrade python-socketio to version 5.16.2 or later, which addresses the issue by restricting binary packet acceptance to authenticated clients only and by cleaning up any partial binary messages held in memory when a client disconnects. No configuration-based workaround is documented; upgrading is the recommended and only confirmed remediation. Operators should also consider enforcing authentication on their Socket.IO endpoints as a defense-in-depth measure (GitHub Advisory, Repo Advisory).

Réactions de la communauté

The vulnerability was reported by security researcher mauriceng98 and the advisory was published by the library maintainer Miguel Grinberg on May 23, 2026. No notable broader media coverage, vendor statements beyond the advisory, or significant social media discussion has been identified at this time (Repo Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Python Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-48804HIGH7.5
  • Python logoPython
  • python-socketio
NonOuiJun 26, 2026
CVE-2026-48802HIGH7.5
  • Python logoPython
  • python-engineio
NonOuiJun 26, 2026
GHSA-75mw-h36v-2jv7MEDIUM6.1
  • Python logoPython
  • dosage
NonOuiJun 26, 2026
CVE-2026-48813LOWN/A
  • Python logoPython
  • flawfinder
NonOuiJun 26, 2026
GHSA-98x5-vq43-vc5pCRITICALN/A
  • Python logoPython
  • semantic-router
NonOuiJun 26, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités