From 688e404b26e09c63ad2f79363a1d70697428d004 Mon Sep 17 00:00:00 2001
From: orbisai0security <mediratta01.pally@gmail.com>
Date: Wed, 29 Apr 2026 15:41:33 +0000
Subject: [PATCH] fix: V-007 security vulnerability

Automated security fix generated by Orbis Security AI
---
 packages/engine.io/lib/server.ts | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/packages/engine.io/lib/server.ts b/packages/engine.io/lib/server.ts
index 2fa129885..51d60179d 100644
--- a/packages/engine.io/lib/server.ts
+++ b/packages/engine.io/lib/server.ts
@@ -141,6 +141,11 @@ export interface ServerOptions {
    * @default false
    */
   allowEIO3?: boolean;
+  /**
+   * the maximum number of simultaneous connections. Any connection attempt above this threshold will be rejected.
+   * @default Infinity
+   */
+  maxConnections?: number;
 }
 
 /**
@@ -454,6 +459,26 @@ export abstract class BaseServer extends EventEmitter {
       return;
     }
 
+    if (
+      this.opts.maxConnections != null &&
+      this.clientsCount >= this.opts.maxConnections
+    ) {
+      debug(
+        "too many connections (maxConnections=%d)",
+        this.opts.maxConnections,
+      );
+      this.emit("connection_error", {
+        req,
+        code: Server.errors.FORBIDDEN,
+        message: Server.errorMessages[Server.errors.FORBIDDEN],
+        context: {
+          name: "CONNECTION_LIMIT_EXCEEDED",
+        },
+      });
+      closeConnection(Server.errors.FORBIDDEN);
+      return;
+    }
+
     let id;
     try {
       id = await this.generateId(req);