This is a Cross-Site Request Forgery (CSRF) vulnerability. It affects Socket.IO and Engine.IO web servers that authenticate clients using cookies.
python-engineio version 3.9.0 patches this vulnerability by adding server-side Origin header checks.
Do not use cookies for client authentication, or else add a CSRF token to the connection URL.
https://www.owasp.org/index.php/Cross-SiteRequestForgery_(CSRF) https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
If you have any questions or comments about this advisory: * Open an issue in python-engineio
{ "nvd_published_at": null, "cwe_ids": [ "CWE-352" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:41:53Z" }