CVE-2024-52303 – aiohttp

Package

Manager: pip
Name: aiohttp
Vulnerable Version: >=3.10.6 <3.10.11

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00248 pctl0.47921

Details

aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method ### Summary A memory leak can occur when a request produces a `MatchInfoError`. This was caused by adding an entry to a cache on each request, due to the building of each `MatchInfoError` producing a unique cache entry. ### Impact If the user is making use of any middlewares with `aiohttp.web` then it is advisable to upgrade immediately. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. ----- Patch: https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936

Metadata

Created: 2024-11-18T21:02:17Z
Modified: 2024-11-19T20:48:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-27mf-ghqm-j3j8/GHSA-27mf-ghqm-j3j8.json
CWE IDs: ["CWE-772"]
Alternative ID: GHSA-27mf-ghqm-j3j8
Finding: F067
Auto approve: 1