GHSA-m9gh-vj53-gvh9
python-engineio has possible denial of service due to maximum payload size sometimes not being enforced
Details
### Impact There are two specific configurations of the python-engineio server in which the size of incoming messages is not checked before the messages are loaded into memory. An attacker can take advantage of these to cause unnecessary memory allocations in the python-engineio server. The two cases are:
- POST requests, when using ASGI with the long polling transport - WebSocket messages, when using Aiohttp with the WebSocket transport
### Patches Version 4.13.2 addresses this issue as follows:
- ASGI severs now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded. - Aiohttp servers configure the maximum payload size in the underlying WebSocket layer from Aiohttp, so that large messages are discarded by Aiohttp before they are delivered to python-engineio.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 4.13.2 pip install --upgrade 'python-engineio>=4.13.2'