CVE-2024-30251

Name of the Vulnerable Software and Affected Versions aiohttp versions prior to 3.9.4

Description The issue is related to an infinite loop that occurs when the aiohttp server processes a specially crafted POST (multipart/form-data) request. This allows an attacker to stop the application from serving requests after sending a single request, resulting in a denial of service. The attacker can send a malicious request to the server, causing it to enter an infinite loop and become unable to process further requests.

Recommendations For versions prior to 3.9.4, upgrade to version 3.9.4 or later to resolve the issue. As a temporary workaround, users unable to upgrade can manually apply a patch to their systems by modifying the read chunk from length() function in aiohttp/multipart.py to include the necessary checks for the end of the file. Restrict access to the vulnerable multipart.py module to minimize the risk of exploitation until a patch is applied. Avoid using the multipart/form-data request type in the affected API endpoint until the issue is resolved.