We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
There was an error while loading. Please reload this page.
This is a Cross-Site Request Forgery (CSRF) vulnerability. It affects Socket.IO and Engine.IO web servers that authenticate clients using cookies.
python-engineio version 3.9.0 patches this vulnerability by adding server-side Origin header checks.
Do not use cookies for client authentication, or else add a CSRF token to the connection URL.
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
If you have any questions or comments about this advisory:
Impact
This is a Cross-Site Request Forgery (CSRF) vulnerability. It affects Socket.IO and Engine.IO web servers that authenticate clients using cookies.
Patches
python-engineio version 3.9.0 patches this vulnerability by adding server-side Origin header checks.
Workarounds
Do not use cookies for client authentication, or else add a CSRF token to the connection URL.
References
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
For more information
If you have any questions or comments about this advisory: