31 matches found
Malicious code in @dervix/engine.io (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 118dd8f5224b1dcccddf25d74c6c9fe3543b444173ea293dafa28154e82689d5 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
MAL-2026-10474 Malicious code in @dervix/engine.io (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 118dd8f5224b1dcccddf25d74c6c9fe3543b444173ea293dafa28154e82689d5 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
Malicious code in @gleamkit/engine.io (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 008464ca4d7ba15b4b8c6d3a979586c61bd527aef3a209571d28c0ba912403ae The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
socket.io: engine.io: Socket.IO: Denial of Service via invalid binary POST requests
A flaw was found in Socket.IO, specifically within the Engine.IO protocol v4 polling transport. An unauthenticated attacker can exploit this vulnerability by sending invalid binary POST requests with a Content-Type of application/octet-stream. This improper handling of requests prevents the HTTP...
CVE-2026-59725
Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated...
CVE-2026-59724
Socket.IO enables bidirectional and low-latency communication for every platform. From 6.5.0 before 6.6.7, Engine.IO servers with WebTransport enabled can resolve a crafted session ID such as proto through an inherited property of the clients object during WebTransport upgrade handling, causing a...
CVE-2026-59725
CVE-2026-59725 affects Socket.IO’s Engine.IO polling transport (versions 4.1.0–6.6.6). The root cause is that invalid binary POST requests with Content-Type: application/octet-stream are not properly closing the HTTP response, enabling unauthenticated attackers to exhaust server-side connections ...
CVE-2026-59725 Socket.IO: Engine.IO Polling Transport Connection Exhaustion
Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated...
EUVD-2026-42313
Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated...
CVE-2026-59724 Socket.IO: Engine.IO WebTransport SID DoS
Socket.IO enables bidirectional and low-latency communication for every platform. From 6.5.0 before 6.6.7, Engine.IO servers with WebTransport enabled can resolve a crafted session ID such as proto through an inherited property of the clients object during WebTransport upgrade handling, causing a...
EUVD-2026-42312
Socket.IO enables bidirectional and low-latency communication for every platform. From 6.5.0 before 6.6.7, Engine.IO servers with WebTransport enabled can resolve a crafted session ID such as proto through an inherited property of the clients object during WebTransport upgrade handling, causing a...
CVE-2026-59724
Socket.IO’s Engine.IO component is affected in versions 6.5.0–6.6.6 when WebTransport is enabled. During a WebTransport upgrade, processing a crafted session ID such as proto on an inherited property of the clients object can trigger a TypeError, leading to a denial of service. The issue has been...
CVE-2026-59724
Socket.IO enables bidirectional and low-latency communication for every platform. From 6.5.0 before 6.6.7, Engine.IO servers with WebTransport enabled can resolve a crafted session ID such as proto through an inherited property of the clients object during WebTransport upgrade handling, causing a...
engine.io: Specially crafted HTTP request can trigger an uncaught exception
A flaw was found in engine.io. The Socket.IO Engine.IO is vulnerable to a denial of service caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote, authenticated attacker can cause the Node.js process to crash, resulting in a denial of service...
Engine.IO 安全漏洞
Engine.IO is Engine.IO open source implementation of a transport-based cross-browser/cross-device bi-directional communication layer. A security vulnerability exists in Engine.IO versions 5.1.0 through 6.4.1, which stems from a specially crafted HTTP request that can trigger an uncaught exception...
4cs-cli (>=0.0.28 <=0.0.36), @3kles/3kles-socketio (>=1.0.0 <=1.0.5) +497 more potentially affected by CVE-2023-31125 via engine.io (>=5.1.1 <=6.3.1)
engine.io NPM version =5.1.1, =0.0.28, =1.0.0, =5.1.0, =0.0.0, =0.0.1-2.1-beta-provision, =2.2.6, =2.3.10, =2.2.6, =2.1.15, =2.8.10, =2.7.0, =2.7.0, =2.5.1, =2.7.0, =2.9.36 and more Source cves: CVE-2023-31125 Source advisory: OSV:GHSA-Q9MW-68C2-J6M5...
Malicious Package
Overview engine.io-client-v3 is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this packa...
AZL-44820 CVE-2022-41940 affecting package js-jquery 3.5.0-4
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io...
Engine.IO 安全漏洞
Engine.IO is a transport-based implementation of Socket.IO's cross-browser/cross-device bi-directional communication layer.A denial-of-service vulnerability exists in versions of Socketio Engine.IO prior to 3.6.1, 4.0.0 and later, and prior to 6.2.1, which stems from a failure to properly handle...
0.edsql (>=1.0.49 <=1.0.50), 10secondsofcode-custom (=1.0.0) +1527 more potentially affected by CVE-2022-41940 via engine.io (>=4.0.6 <=6.1.3)
engine.io NPM version =4.0.6, =1.0.49, =1.0.0, =0.0.28, =1.0.1, =0.8.2, =1.0.0, =0.1.13, =0.0.4, =1.2.1, =1.0.1, =1.0.2 - @aaronconway7/create-gatsby-app =1.0.0 - @accio-cms/gatsby-starter-accio =0.0.1 - @achilleskal/awesome-blog =1.0.0 and more Source cves: CVE-2022-41940 Source advisory:...