Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated attacker to exhaust server-side connections and sockets. This issue is fixed in version 6.6.7.
History

Fri, 10 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat hummingbird
Weaknesses CWE-772
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat
Redhat hummingbird
References
Metrics threat_severity

None

threat_severity

Important


Fri, 10 Jul 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Socket
Socket socket.io
Vendors & Products Socket
Socket socket.io

Wed, 08 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Description Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated attacker to exhaust server-side connections and sockets. This issue is fixed in version 6.6.7.
Title Socket.IO: Engine.IO Polling Transport Connection Exhaustion
Weaknesses CWE-404
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-07-08T15:37:52.293Z

Updated: 2026-07-08T17:00:32.946Z

Reserved: 2026-07-06T15:34:16.916Z

Link: CVE-2026-59725

cve-icon Vulnrichment

Updated: 2026-07-08T16:50:49.427Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-08T15:37:52Z

Links: CVE-2026-59725 - Bugzilla