PT-2026-45674 · Pypi · Aiosend
Publicado
2026-05-22
·
Atualizado
2026-05-22
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Vulnerability Description
In
aiosend/webhook/base.py, the WebhookHandler.feed update() method performs full deserialization of the incoming JSON via Pydantic before verifying the HMAC signature. Anyone can send a request with an arbitrary body — the server will parse it, spend CPU and memory, and only then reject it.Vulnerable Code
python
# aiosend/webhook/base.py — feed update()
update = Update.model validate(body, context={"client": self}) # parsing — always
if not self. check signature(body, headers): # auth — too late
return FalseAdditional aggravating factor:
CryptoPayObject is declared with ConfigDict(extra="allow") — all arbitrary fields from the body are stored in memory without any limits.Minimal PoC
Requests with deliberately invalid signatures (zero credentials):
| extra fields | body size | parse time | status |
|---|---|---|---|
| 0 | 336 B | 26 µs | 403 REJECTED |
| 1,000 | 82 KB | 257 µs | 403 REJECTED |
| 5,000 | 410 KB | 1,183 µs | 403 REJECTED |
| 10,000 | 820 KB | 2,552 µs | 403 REJECTED |
| 10,000 (×512B) | 5.3 MB | 7,490 µs | 403 REJECTED |
All requests were rejected — but the server already performed parsing for each one. 10 parallel threads with 5 MB bodies = >75 ms of CPU spent on requests that will never be authorized.
Affected Components
aiosend/webhook/base.py—WebhookHandler.feed update()aiosend/types/base.py—CryptoPayObject(extra="allow")- All adapters:
AiohttpManager,FastAPIManager,FlaskManager
Exploitation Conditions
- Attacker: anyone with network access to the webhook endpoint
- Authentication: not required
- Body size limit: absent at the library level (Flask and FastAPI have no default limit)
The advisory was translated using Copilot.
Correção
Resource Exhaustion
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Aiosend