CVE-2019-9710 – webargs

Package

Manager: pip
Name: webargs
Vulnerable Version: >=0 <5.1.3

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

EPSS: 0.00363 pctl0.57607

Details

Webargs mishandles concurrent JSON parsing An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests.

Metadata

Created: 2019-03-12T15:16:12Z
Modified: 2025-08-04T21:03:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-8554-jxcw-454q/GHSA-8554-jxcw-454q.json
CWE IDs: ["CWE-362"]
Alternative ID: GHSA-8554-jxcw-454q
Finding: F124
Auto approve: 1