aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.
History

Fri, 22 Nov 2024 14:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Tue, 19 Nov 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Aiohttp
Aiohttp aio-libs
CPEs cpe:2.3:a:aiohttp:aio-libs:*:*:*:*:*:*:*:*
Vendors & Products Aiohttp
Aiohttp aio-libs
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 18 Nov 2024 20:15:00 +0000

Type Values Removed Values Added
Description aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.
Title aiohttp memory leak when middleware is enabled when requesting a resource with a non-allowed method
Weaknesses CWE-772
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-18T20:08:15.387Z

Updated: 2024-11-19T14:45:27.044Z

Reserved: 2024-11-06T19:00:26.396Z

Link: CVE-2024-52303

cve-icon Vulnrichment

Updated: 2024-11-19T14:45:10.297Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-18T20:15:06.047

Modified: 2024-11-19T21:57:32.967

Link: CVE-2024-52303

cve-icon Redhat

Severity : Important

Publid Date: 2024-11-18T20:08:15Z

Links: CVE-2024-52303 - Bugzilla