Advisories for Pypi/Python-Engineio package

2026

python-engineio has unbound thread allocation that can cause denial of service

An attacker can cause the creation of unnecessary background threads in the python-engineio server by exploiting the heartbeat mechanism, which launches a thread when a new connection is received, and when the client sends a PONG packet. Note: this issue primarily affects synchronous servers. Asynchronous servers allocate background tasks instead of physical threads, which are lightweight and less likely to cause denial of service. However, the fix that was implemented …

python-engineio has possible denial of service due to maximum payload size sometimes not being enforced

There are two specific configurations of the python-engineio server in which the size of incoming messages is not checked before the messages are loaded into memory. An attacker can take advantage of these to cause unnecessary memory allocations in the python-engineio server. The two cases are: POST requests, when using ASGI with the long polling transport WebSocket messages, when using Aiohttp with the WebSocket transport

2019