CVE-2019-13611

Name of the Vulnerable Software and Affected Versions python-engineio versions 3.8.2 and earlier

Description The issue is related to a Cross-Site WebSocket Hijacking (CSWSH) vulnerability, also referred to as a Cross-Site Request Forgery (CSRF) vulnerability. This vulnerability allows attackers to make WebSocket connections to a server using a victim's credentials because the Origin header is not restricted. It affects Socket.IO and Engine.IO web servers that authenticate clients using cookies. The vulnerability can be exploited by a remote attacker to perform arbitrary actions in the vulnerable system.

Recommendations For python-engineio versions 3.8.2 and earlier, update to version 3.9.0, which patches this vulnerability by adding server-side Origin header checks. As a temporary workaround, consider not using cookies for client authentication, or add a CSRF token to the connection URL.