Skip to content

WebSocket cross-origin vulnerability

low severity
CVE-2019-13611 published Jul 30, 2019
Published Jul 30, 2019 • updated Jul 30, 2019

Impact

This is a Cross-Site Request Forgery (CSRF) vulnerability. It affects Socket.IO and Engine.IO web servers that authenticate clients using cookies.

Patches

python-engineio version 3.9.0 patches this vulnerability by adding server-side Origin header checks.

Workarounds

Do not use cookies for client authentication, or else add a CSRF token to the connection URL.

References

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html

For more information

If you have any questions or comments about this advisory:

@miguelgrinberg miguelgrinberg published the maintainer security advisory Jul 29, 2019
Details
Affected packages
  • python-engineio pip
    Vulnerable versions
    <= 3.8.2
    Patched version
    3.9.0
You can’t perform that action at this time.