We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
This is a Cross-Site Request Forgery (CSRF) vulnerability. It affects Socket.IO and Engine.IO web servers that authenticate clients using cookies.
python-engineio version 3.9.0 patches this vulnerability by adding server-side Origin header checks.
Do not use cookies for client authentication, or else add a CSRF token to the connection URL.
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
If you have any questions or comments about this advisory:
Impact
This is a Cross-Site Request Forgery (CSRF) vulnerability. It affects Socket.IO and Engine.IO web servers that authenticate clients using cookies.
Patches
python-engineio version 3.9.0 patches this vulnerability by adding server-side Origin header checks.
Workarounds
Do not use cookies for client authentication, or else add a CSRF token to the connection URL.
References
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
For more information
If you have any questions or comments about this advisory: