CVE-2024-52303

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
VendorProductVersion
aiohttpaiohttp
3.10.6 ≤
𝑥
< 3.10.11
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-aiohttp
bullseye
3.7.4-1
not-affected
bookworm
3.8.4-1+deb12u1
not-affected
bullseye (security)
3.7.4-1+deb11u1
fixed
bookworm (security)
3.8.4-1+deb12u1
fixed
forky
3.11.16-1
fixed
sid
3.11.16-1
fixed
trixie
3.11.16-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-aiohttp
plucky
not-affected
oracular
not-affected
noble
not-affected
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-27mf-ghqm-j3j8