CVE-2024-30251

EUVD-2024-1442

02.05.2024, 14:15

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. Users are advised to upgrade. Users unable to upgrade may manually apply a patch to their systems. Please see the linked GHSA for instructions.

Infinite Loop

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 57%

Affected Products (NVD)

Vendor	Product	Version
aiohttp	aiohttp	𝑥 < 3.9.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-aiohttp

bookworm	3.8.4-1+deb12u1 fixed
bookworm (security)	3.8.4-1+deb12u1 fixed
bullseye	vulnerable
bullseye (security)	3.7.4-1+deb11u1 fixed
buster	postponed
forky	3.13.1-1 fixed
sid	3.13.1-1 fixed
trixie	3.11.16-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-aiohttp

bionic	not-affected
focal	Fixed 3.6.2-1ubuntu1+esm4 released
jammy	Fixed 3.8.1-4ubuntu0.2+esm1 released
mantic	ignored
noble	Fixed 3.9.1-1ubuntu0.1+esm1 released
oracular	not-affected
plucky	not-affected
questing	not-affected
xenial	not-affected

Common Weakness Enumeration

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

References

http://www.openwall.com/lists/oss-security/2024/05/02/4

https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597

https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19

https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84

http://www.openwall.com/lists/oss-security/2024/05/02/4

https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597

https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19

https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html