Description

aiosend: Deserialization of request body before signature verification (Pre-auth DoS) in webhook handler

Vulnerability Description

In aiosend/webhook/base.py, the WebhookHandler.feed_update() method performs full deserialization of the incoming JSON via Pydantic before verifying the HMAC signature. Anyone can send a request with an arbitrary body — the server will parse it, spend CPU and memory, and only then reject it.

Vulnerable Code

# aiosend/webhook/base.py — feed_update()
update = Update.model_validate(body, context={"client": self})  #  parsing — always
if not self._check_signature(body, headers):                    #  auth — too late
    return False

Additional aggravating factor: CryptoPayObject is declared with ConfigDict(extra="allow") — all arbitrary fields from the body are stored in memory without any limits.

Minimal PoC

Requests with deliberately invalid signatures (zero credentials):

All requests were rejected — but the server already performed parsing for each one. 10 parallel threads with 5 MB bodies = >75 ms of CPU spent on requests that will never be authorized.

Affected Components

aiosend/webhook/base.py — WebhookHandler.feed_update()

aiosend/types/base.py — CryptoPayObject (extra="allow")

All adapters: AiohttpManager, FastAPIManager, FlaskManager

Exploitation Conditions

Attacker: anyone with network access to the webhook endpoint

Authentication: not required

Body size limit: absent at the library level (Flask and FastAPI have no default limit)

The advisory was translated using Copilot.

Mitigation

Aliases

References