GHSA-cgwc-pv48-fhj5: python-engineio has unbound thread allocation that can cause denial of service
python-engineio versions prior to 4.13.2 contain a vulnerability where an attacker can cause excessive background thread creation via the heartbeat mechanism, leading to denial of service. This primarily affects synchronous servers, which allocate physical threads for heartbeat management. The issue is mitigated in version 4.13.2 by restricting heartbeat thread creation to authenticated clients and ensuring only one heartbeat thread per client is active at a time.
AI Analysis
Technical Summary
CVE-2026-48802 in python-engineio allows an attacker to cause denial of service by triggering unbounded creation of background threads through the heartbeat mechanism. When a new connection is received or a PONG packet is sent by the client, a background thread is launched for heartbeat management. Synchronous servers are primarily affected because they allocate physical threads, which can exhaust system resources. The vulnerability is addressed in python-engineio version 4.13.2 by launching heartbeat threads only after client authentication and by ensuring only one heartbeat thread per client is active, discarding out-of-sequence PONG packets.
Potential Impact
An attacker can cause denial of service by forcing the server to create excessive background threads, potentially exhausting system resources and degrading or interrupting service availability. This impact is limited to synchronous server deployments of python-engineio. Asynchronous servers are less affected due to their use of lightweight async tasks. There is no impact on confidentiality or integrity.
Mitigation Recommendations
Upgrade python-engineio to version 4.13.2 or later, which includes an official fix that restricts heartbeat thread creation to authenticated clients and prevents multiple concurrent heartbeat threads per client. No additional mitigation is required if this version is deployed.
GHSA-cgwc-pv48-fhj5: python-engineio has unbound thread allocation that can cause denial of service
Description
python-engineio versions prior to 4.13.2 contain a vulnerability where an attacker can cause excessive background thread creation via the heartbeat mechanism, leading to denial of service. This primarily affects synchronous servers, which allocate physical threads for heartbeat management. The issue is mitigated in version 4.13.2 by restricting heartbeat thread creation to authenticated clients and ensuring only one heartbeat thread per client is active at a time.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-48802 in python-engineio allows an attacker to cause denial of service by triggering unbounded creation of background threads through the heartbeat mechanism. When a new connection is received or a PONG packet is sent by the client, a background thread is launched for heartbeat management. Synchronous servers are primarily affected because they allocate physical threads, which can exhaust system resources. The vulnerability is addressed in python-engineio version 4.13.2 by launching heartbeat threads only after client authentication and by ensuring only one heartbeat thread per client is active, discarding out-of-sequence PONG packets.
Potential Impact
An attacker can cause denial of service by forcing the server to create excessive background threads, potentially exhausting system resources and degrading or interrupting service availability. This impact is limited to synchronous server deployments of python-engineio. Asynchronous servers are less affected due to their use of lightweight async tasks. There is no impact on confidentiality or integrity.
Mitigation Recommendations
Upgrade python-engineio to version 4.13.2 or later, which includes an official fix that restricts heartbeat thread creation to authenticated clients and prevents multiple concurrent heartbeat threads per client. No additional mitigation is required if this version is deployed.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-cgwc-pv48-fhj5
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-48802"]
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a3ef76827e9c79719fee7b3
Added to database: 06/26/2026, 22:04:24 UTC
Last enriched: 06/26/2026, 22:07:33 UTC
Last updated: 06/27/2026, 01:29:41 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.