GHSA-m9gh-vj53-gvh9: python-engineio has possible denial of service due to maximum payload size sometimes not being enforced
A denial of service vulnerability exists in python-engineio versions prior to 4.13.2 due to improper enforcement of maximum payload size in certain server configurations. Specifically, when using ASGI with long polling transport or Aiohttp with WebSocket transport, incoming message sizes are not checked before loading into memory, allowing attackers to cause excessive memory allocation. Version 4.13.2 includes fixes that enforce payload size limits and discard oversized requests early.
AI Analysis
Technical Summary
The python-engineio server has a denial of service vulnerability (CVE-2026-48809) in versions before 4.13.2 where the maximum payload size is not always enforced before loading incoming messages into memory. This affects two configurations: POST requests using ASGI with long polling transport, and WebSocket messages using Aiohttp with WebSocket transport. An attacker can exploit this to cause unnecessary memory consumption, potentially leading to service disruption. The issue is addressed in version 4.13.2 by enforcing client authentication and payload size checks before loading request bodies in ASGI, and by configuring maximum payload size in Aiohttp's WebSocket layer to discard large messages early.
Potential Impact
This vulnerability allows unauthenticated remote attackers to cause a denial of service by triggering excessive memory allocation on the python-engineio server. The impact is limited to service availability (denial of service) with no confidentiality or integrity loss reported.
Mitigation Recommendations
Upgrade python-engineio to version 4.13.2 or later, where the vulnerability is fixed by enforcing maximum payload size checks and client authentication before loading request bodies. No additional mitigation is required once the patch is applied.
GHSA-m9gh-vj53-gvh9: python-engineio has possible denial of service due to maximum payload size sometimes not being enforced
Description
A denial of service vulnerability exists in python-engineio versions prior to 4.13.2 due to improper enforcement of maximum payload size in certain server configurations. Specifically, when using ASGI with long polling transport or Aiohttp with WebSocket transport, incoming message sizes are not checked before loading into memory, allowing attackers to cause excessive memory allocation. Version 4.13.2 includes fixes that enforce payload size limits and discard oversized requests early.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The python-engineio server has a denial of service vulnerability (CVE-2026-48809) in versions before 4.13.2 where the maximum payload size is not always enforced before loading incoming messages into memory. This affects two configurations: POST requests using ASGI with long polling transport, and WebSocket messages using Aiohttp with WebSocket transport. An attacker can exploit this to cause unnecessary memory consumption, potentially leading to service disruption. The issue is addressed in version 4.13.2 by enforcing client authentication and payload size checks before loading request bodies in ASGI, and by configuring maximum payload size in Aiohttp's WebSocket layer to discard large messages early.
Potential Impact
This vulnerability allows unauthenticated remote attackers to cause a denial of service by triggering excessive memory allocation on the python-engineio server. The impact is limited to service availability (denial of service) with no confidentiality or integrity loss reported.
Mitigation Recommendations
Upgrade python-engineio to version 4.13.2 or later, where the vulnerability is fixed by enforcing maximum payload size checks and client authentication before loading request bodies. No additional mitigation is required once the patch is applied.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-m9gh-vj53-gvh9
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-48809"]
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a3ef76a27e9c79719fee7fc
Added to database: 06/26/2026, 22:04:26 UTC
Last enriched: 06/26/2026, 22:07:55 UTC
Last updated: 06/27/2026, 02:23:17 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.