Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport. Reference: https://github.com/bcaller/kill-engine-io https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b
Based off the description: "This change reduces the default value from 100 mb to a more sane 1 mb. This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data." Changing our impact to Important as engine.io can be used in the server sense, and this would constituent as a remote DoS - worst case. Leaving Quay affects as Low, as these look like dev dependencies to me but want to confirm with engineering first. $ npm list --prod | grep engine
External References: https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
Upstream fix: https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b
Statement: Red Hat Quay uses engine.io as a dependency of karma. Karma and therefore engine.io are only used at build time, and not during runtime, making this vulnerability low impact for Red Hat Quay.