aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 14:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Tue, 19 Nov 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Aiohttp
Aiohttp aio-libs |
|
CPEs | cpe:2.3:a:aiohttp:aio-libs:*:*:*:*:*:*:*:* | |
Vendors & Products |
Aiohttp
Aiohttp aio-libs |
|
Metrics |
cvssV3_1
|
Mon, 18 Nov 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch. | |
Title | aiohttp memory leak when middleware is enabled when requesting a resource with a non-allowed method | |
Weaknesses | CWE-772 | |
References |
| |
Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-11-18T20:08:15.387Z
Updated: 2024-11-19T14:45:27.044Z
Reserved: 2024-11-06T19:00:26.396Z
Link: CVE-2024-52303
Vulnrichment
Updated: 2024-11-19T14:45:10.297Z
NVD
Status : Awaiting Analysis
Published: 2024-11-18T20:15:06.047
Modified: 2024-11-19T21:57:32.967
Link: CVE-2024-52303
Redhat