An attacker can cause the creation of unnecessary background threads in the python-engineio server by exploiting the heartbeat mechanism, which launches a thread when a new connection is received, and when the client sends a PONG packet.
Note: this issue primarily affects synchronous servers. Asynchronous servers allocate background tasks instead of physical threads, which are lightweight and less likely to cause denial of service. However, the fix that was implemented was also applied to the asynchronous case.
Version 4.13.2 addresses this issue as follows:
connect handler.{
"github_reviewed_at": "2026-06-26T20:51:37Z",
"nvd_published_at": null,
"github_reviewed": true,
"cwe_ids": [
"CWE-770"
],
"severity": "HIGH"
}