GHSA-5w7q-77mv-v69f: python-socketio: Binary attachment accumulation can cause denial of service
A denial of service vulnerability exists in python-socketio versions prior to 5.16.2 due to accumulation of binary attachment messages in memory. The server stores binary EVENT and ACK messages while waiting for all their binary attachments. An attacker can exploit this by sending a binary message but omitting some attachments, causing the server to retain partial messages in memory indefinitely. This can lead to resource exhaustion and denial of service. Version 5.16.2 addresses this by accepting binary packets only from authenticated clients and clearing partial messages when clients disconnect.
AI Analysis
Technical Summary
The python-socketio server implementation stores binary EVENT and ACK messages in memory while awaiting all their binary attachments before processing. An attacker can submit a binary message and deliberately omit one or more attachments, causing the server to hold the incomplete message and partial attachments in memory for an extended period. This behavior can be exploited to cause a denial of service through resource exhaustion. The vulnerability is tracked as CVE-2026-48804 and affects versions prior to 5.16.2. The fix in version 5.16.2 restricts binary packet acceptance to authenticated clients and ensures cleanup of partial messages upon client disconnection.
Potential Impact
This vulnerability allows an unauthenticated remote attacker to cause a denial of service by exhausting server memory resources through incomplete binary message attachments. There is no impact on confidentiality or integrity. The primary impact is availability degradation due to resource exhaustion.
Mitigation Recommendations
Upgrade python-socketio to version 5.16.2 or later, which implements acceptance of binary packets only from authenticated clients and clears partial binary messages when clients disconnect. These measures mitigate the risk of denial of service from binary attachment accumulation. Patch status is confirmed as fixed in version 5.16.2.
GHSA-5w7q-77mv-v69f: python-socketio: Binary attachment accumulation can cause denial of service
Description
A denial of service vulnerability exists in python-socketio versions prior to 5.16.2 due to accumulation of binary attachment messages in memory. The server stores binary EVENT and ACK messages while waiting for all their binary attachments. An attacker can exploit this by sending a binary message but omitting some attachments, causing the server to retain partial messages in memory indefinitely. This can lead to resource exhaustion and denial of service. Version 5.16.2 addresses this by accepting binary packets only from authenticated clients and clearing partial messages when clients disconnect.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The python-socketio server implementation stores binary EVENT and ACK messages in memory while awaiting all their binary attachments before processing. An attacker can submit a binary message and deliberately omit one or more attachments, causing the server to hold the incomplete message and partial attachments in memory for an extended period. This behavior can be exploited to cause a denial of service through resource exhaustion. The vulnerability is tracked as CVE-2026-48804 and affects versions prior to 5.16.2. The fix in version 5.16.2 restricts binary packet acceptance to authenticated clients and ensures cleanup of partial messages upon client disconnection.
Potential Impact
This vulnerability allows an unauthenticated remote attacker to cause a denial of service by exhausting server memory resources through incomplete binary message attachments. There is no impact on confidentiality or integrity. The primary impact is availability degradation due to resource exhaustion.
Mitigation Recommendations
Upgrade python-socketio to version 5.16.2 or later, which implements acceptance of binary packets only from authenticated clients and clears partial binary messages when clients disconnect. These measures mitigate the risk of denial of service from binary attachment accumulation. Patch status is confirmed as fixed in version 5.16.2.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-5w7q-77mv-v69f
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-48804"]
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a3ef76827e9c79719fee7af
Added to database: 06/26/2026, 22:04:24 UTC
Last enriched: 06/26/2026, 22:07:29 UTC
Last updated: 06/27/2026, 03:07:49 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.