GHSA-8554-jxcw-454q

Source

https://github.com/advisories/GHSA-8554-jxcw-454q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-8554-jxcw-454q/GHSA-8554-jxcw-454q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8554-jxcw-454q

Aliases

Published

2019-03-12T15:16:12Z

Modified

2025-08-04T21:12:40.126345Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Webargs mishandles concurrent JSON parsing

Details

An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-362"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:24:21Z"
}

References

Affected packages

PyPI / webargs

Package

Name: webargs; View open source insights on deps.dev
Purl: pkg:pypi/webargs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.1.3

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.4.0

0.5.0

0.5.1

0.6.0

0.6.1

0.6.2

0.7.0

0.8.0

0.8.1

0.9.0

0.9.1

0.10.0

0.11.0

0.12.0

0.13.0

0.14.0

0.15.0

0.16.0

0.17.0

0.18.0

1.*

1.0.0

1.1.0

1.1.1

1.2.0

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

1.5.0

1.5.1

1.5.2

1.5.3

1.6.0

1.6.1

1.6.2

1.6.3

1.7.0

1.8.0

1.8.1

1.9.0

1.10.0

2.*

2.0.0

2.1.0

3.*

3.0.0

3.0.1

3.0.2

4.*

4.0.0

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0

4.3.0

4.3.1

4.4.0

4.4.1

5.*

5.0.0

5.1.0

5.1.1

5.1.1.post0

5.1.2