GHSA-cgwc-pv48-fhj5

Suggest an improvement
Source
https://github.com/advisories/GHSA-cgwc-pv48-fhj5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cgwc-pv48-fhj5/GHSA-cgwc-pv48-fhj5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cgwc-pv48-fhj5
Aliases
  • CVE-2026-48802
Published
2026-06-26T20:51:37Z
Modified
2026-06-26T21:00:09.537485662Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
python-engineio has unbound thread allocation that can cause denial of service
Details

Impact

An attacker can cause the creation of unnecessary background threads in the python-engineio server by exploiting the heartbeat mechanism, which launches a thread when a new connection is received, and when the client sends a PONG packet.

Note: this issue primarily affects synchronous servers. Asynchronous servers allocate background tasks instead of physical threads, which are lightweight and less likely to cause denial of service. However, the fix that was implemented was also applied to the asynchronous case.

Patches

Version 4.13.2 addresses this issue as follows:

  • The initial background thread (or async task( for heartbeat management is only launched if a client passes authentication in the connect handler.
  • The server now ensures that there is only one background heatbeat thread (or async task) per client at a given point in time. Out of sequence PONG packets are now discarded when an active heartbeat thread is already running.
Database specific
{
    "github_reviewed_at": "2026-06-26T20:51:37Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "HIGH"
}
References

Affected packages

PyPI / python-engineio

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.13.2

Affected versions

0.*
0.1.0
0.2.0
0.3.0
0.3.1
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.9.0
0.9.1
0.9.2
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0
1.3.1
1.3.2
1.4.0
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.6.0
1.6.1
1.7.0
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.1.0
2.1.1
2.2.0
2.3.0
2.3.1
2.3.2
3.*
3.0.0
3.1.0
3.1.1
3.1.2
3.2.0
3.2.1
3.2.2
3.2.3
3.3.0
3.3.1
3.3.2
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.5.0
3.5.1
3.5.2
3.6.0
3.7.0
3.8.0
3.8.1
3.8.2
3.8.2.post1
3.9.0
3.9.1
3.9.2
3.9.3
3.10.0
3.11.0
3.11.1
3.11.2
3.12.0
3.12.1
3.13.0
3.13.1
3.13.2
3.14.0
3.14.1
3.14.2
4.*
4.0.0
4.0.1
4.1.0
4.2.0
4.2.1
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.4.0
4.4.1
4.5.0
4.5.1
4.6.0
4.6.1
4.7.0
4.7.1
4.8.0
4.8.1
4.8.2
4.9.0
4.9.1
4.10.0
4.10.1
4.11.0
4.11.1
4.11.2
4.12.0
4.12.1
4.12.2
4.12.3
4.13.0
4.13.1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cgwc-pv48-fhj5/GHSA-cgwc-pv48-fhj5.json"
last_known_affected_version_range
"<= 4.13.1"