Fluid Attacks Database

Description

aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method

Summary

A memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry.

Impact

If the user is making use of any middlewares with aiohttp.web then it is advisable to upgrade immediately.

An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests.

Patch: https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	python-aiohttp	>=0 <3.10.11-1	3.10.11-1
debian 14	python-aiohttp	>=0 <3.10.11-1	3.10.11-1
pypi	aiohttp	>=3.10.6 <3.10.11	3.10.11

Aliases

1. CVE-2024-523032. NVD-2024-523033. OSV-DEBIAN-2024-523034. OSV-2024-523035. GHSA-27mf-ghqm-j3j86. GCVE-2024-523037. SECURITY-TRACKER-CVE-2024-52303

References

1. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-27mf-ghqm-j3j82. https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.