CVE-2020-36048
Denial of Service (DoS) vulnerability in engine.io (npm)
What is CVE-2020-36048 About?
Engine.IO versions before 4.0.0 and 3.6.0 are vulnerable to a Denial of Service (DoS) due to resource consumption. An attacker can send a specially crafted POST request to the long polling transport. This can exhaust server resources, making the service unavailable to legitimate users. Exploitation is easy, requiring only a simple POST request.
Affected Software
Technical Details
This Denial of Service (DoS) vulnerability in Engine.IO arises from how the long polling transport handles POST requests. When an attacker sends a high volume or specially crafted POST requests to the long polling endpoint, the server inadequately manages the resources allocated to these requests. This could involve, for instance, a lack of limits on concurrent connections, unread buffers, or processing queues for each long poll request. As a result, the server's memory, CPU, or network I/O becomes saturated, reaching its capacity limits. This resource exhaustion prevents the server from processing legitimate user requests, leading to a denial of service for all users.
What is the Impact of CVE-2020-36048?
Successful exploitation may allow attackers to consume excessive server resources, leading to service unavailability, system crashes, and disruption of operations for legitimate users.
What is the Exploitability of CVE-2020-36048?
Exploiting this Denial of Service vulnerability is relatively easy, requiring low complexity. The primary prerequisite is the ability to send multiple HTTP POST requests to the vulnerable Engine.IO server. There are no authentication or privilege requirements, as the attack targets the service's basic request handling. This is a remote exploit. Special conditions might include the server being configured in a long polling mode that is susceptible to this resource consumption. Risk factors that increase exploitation likelihood include a server deployed without proper rate limiting, connection limits, or resource isolation for the Engine.IO long polling transport. A simple script could be used to repeatedly send requests and trigger the DoS condition.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-36048?
About the Fix from Resolved Security
The patch reduces the default value of maxHttpBufferSize from 100MB to 1MB, limiting the maximum size of HTTP request buffers. This prevents attackers from exploiting CVE-2020-36048, a denial-of-service vulnerability caused by allowing excessively large payloads that could exhaust server memory and resources.
Available Upgrade Options
- engine.io
- <3.6.0 → Upgrade to 3.6.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/bcaller/kill-engine-io
- https://osv.dev/vulnerability/GHSA-j4f2-536g-r55m
- https://github.com/socketio/engine.io/commit/58e274c437e9cbcf69fd913c813aad8fbd253703
- https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b
- https://blog.caller.xyz/socketio-engineio-dos/
- https://github.com/socketio/engine.io
- https://nvd.nist.gov/vuln/detail/CVE-2020-36048
- https://github.com/bcaller/kill-engine-io
- https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b
- https://blog.caller.xyz/socketio-engineio-dos
What are Similar Vulnerabilities to CVE-2020-36048?
Similar Vulnerabilities: CVE-2021-3601 , CVE-2021-23386 , CVE-2022-21696 , CVE-2022-24328 , CVE-2022-24999
