GHSA-m9gh-vj53-gvh9

Source

https://github.com/advisories/GHSA-m9gh-vj53-gvh9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-m9gh-vj53-gvh9/GHSA-m9gh-vj53-gvh9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m9gh-vj53-gvh9

Aliases

CVE-2026-48809

Published

2026-06-26T20:48:18Z

Modified

2026-06-26T21:00:10.358338741Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

python-engineio has possible denial of service due to maximum payload size sometimes not being enforced

Details

Impact

There are two specific configurations of the python-engineio server in which the size of incoming messages is not checked before the messages are loaded into memory. An attacker can take advantage of these to cause unnecessary memory allocations in the python-engineio server. The two cases are:

POST requests, when using ASGI with the long polling transport
WebSocket messages, when using Aiohttp with the WebSocket transport

Patches

Version 4.13.2 addresses this issue as follows:

ASGI severs now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded.
Aiohttp servers configure the maximum payload size in the underlying WebSocket layer from Aiohttp, so that large messages are discarded by Aiohttp before they are delivered to python-engineio.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T20:48:18Z",
    "severity": "HIGH"
}

References

Affected packages

PyPI / python-engineio

Package

Name: python-engineio; View open source insights on deps.dev
Purl: pkg:pypi/python-engineio

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.13.2

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.3.1

0.4.0

0.5.0

0.5.1

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.6.8

0.6.9

0.7.0

0.7.1

0.7.2

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.9.0

0.9.1

0.9.2

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.1.0

1.1.1

1.1.2

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0

1.3.1

1.3.2

1.4.0

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.6.0

1.6.1

1.7.0

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.1.0

2.1.1

2.2.0

2.3.0

2.3.1

2.3.2

3.*

3.0.0

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.2.3

3.3.0

3.3.1

3.3.2

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.5.0

3.5.1

3.5.2

3.6.0

3.7.0

3.8.0

3.8.1

3.8.2

3.8.2.post1

3.9.0

3.9.1

3.9.2

3.9.3

3.10.0

3.11.0

3.11.1

3.11.2

3.12.0

3.12.1

3.13.0

3.13.1

3.13.2

3.14.0

3.14.1

3.14.2

4.*

4.0.0

4.0.1

4.1.0

4.2.0

4.2.1

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.4.0

4.4.1

4.5.0

4.5.1

4.6.0

4.6.1

4.7.0

4.7.1

4.8.0

4.8.1

4.8.2

4.9.0

4.9.1

4.10.0

4.10.1

4.11.0

4.11.1

4.11.2

4.12.0

4.12.1

4.12.2

4.12.3

4.13.0

4.13.1

Database specific

last_known_affected_version_range

"<= 4.13.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-m9gh-vj53-gvh9/GHSA-m9gh-vj53-gvh9.json"