GHSA-27mf-ghqm-j3j8

Suggest an improvement
Source
https://github.com/advisories/GHSA-27mf-ghqm-j3j8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-27mf-ghqm-j3j8/GHSA-27mf-ghqm-j3j8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-27mf-ghqm-j3j8
Aliases
Related
Published
2024-11-18T21:02:17Z
Modified
2024-11-19T21:00:57.011864Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method
Details

Summary

A memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry.

Impact

If the user is making use of any middlewares with aiohttp.web then it is advisable to upgrade immediately.

An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests.


Patch: https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936

Database specific
{
    "nvd_published_at": "2024-11-18T20:15:06Z",
    "cwe_ids": [
        "CWE-772"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-18T21:02:17Z"
}
References

Affected packages

PyPI / aiohttp

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.10.6
Fixed
3.10.11

Affected versions

3.*

3.10.6
3.10.7
3.10.8
3.10.9
3.10.10
3.10.11rc0