Skip to content

python-engineio vulnerable to Cross-Site Request Forgery (CSRF)

High severity GitHub Reviewed Published Jul 29, 2019 in miguelgrinberg/python-engineio • Updated Jan 11, 2023

Package

pip python-engineio (pip)

Affected versions

<= 3.8.2

Patched versions

3.9.0

Description

WebSocket cross-origin vulnerability

Impact

This is a Cross-Site Request Forgery (CSRF) vulnerability. It affects Socket.IO and Engine.IO web servers that authenticate clients using cookies.

Patches

python-engineio version 3.9.0 patches this vulnerability by adding server-side Origin header checks.

Workarounds

Do not use cookies for client authentication, or else add a CSRF token to the connection URL.

References

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html

For more information

If you have any questions or comments about this advisory:

References

@miguelgrinberg miguelgrinberg published to miguelgrinberg/python-engineio Jul 29, 2019
Published to the GitHub Advisory Database Jul 30, 2019
Reviewed Jun 16, 2020
Last updated Jan 11, 2023

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS score

0.073%
(32nd percentile)

Weaknesses

CVE ID

CVE-2019-13611

GHSA ID

GHSA-j3jp-gvr5-7hwq

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.