CVE-2024-52303

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions aiohttp versions 3.10.6 through 3.10.10

Description A memory leak can occur when a request produces a MatchInfoError. This issue is caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests.

Recommendations For aiohttp versions 3.10.6 through 3.10.10, upgrade to version 3.10.11 to receive a patch. As a temporary workaround, consider restricting the number of requests that can produce a MatchInfoError to minimize the risk of exploitation.

Exploit

Fix

Missing Release of Resource after Effective Lifetime

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-772

Related Identifiers

BDU:2024-10293

CVE-2024-52303

GHSA-27MF-GHQM-J3J8

OPENSUSE-SU-2024:14556-1

Affected Products

Aiohttp

CVE-2024-52303

Weakness Enumeration

Related Identifiers

Affected Products

References · 20