CVE-2020-36048: Resource exhaustion in engine.io
(updated )
Engine.IO before 4.0.0 and 3.6.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
References
- blog.caller.xyz/socketio-engineio-dos
- github.com/advisories/GHSA-j4f2-536g-r55m
- github.com/bcaller/kill-engine-io
- github.com/socketio/engine.io
- github.com/socketio/engine.io/commit/58e274c437e9cbcf69fd913c813aad8fbd253703
- github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b
- nvd.nist.gov/vuln/detail/CVE-2020-36048
Code Behaviors & Features
Detect and mitigate CVE-2020-36048 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →