Moderate severityNVD Advisory· Published Nov 18, 2024· Updated Nov 19, 2024
aiohttp memory leak when middleware is enabled when requesting a resource with a non-allowed method
CVE-2024-52303
Description
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aiohttpPyPI | >= 3.10.6, < 3.10.11 | 3.10.11 |
Affected products
25- osv-coords24 versionspkg:apk/chainguard/airflowpkg:apk/chainguard/airflow-bitnami-compatpkg:apk/chainguard/airflow-compatpkg:apk/chainguard/checkovpkg:apk/chainguard/py3.10-aiohttppkg:apk/chainguard/py3.10-vllm-cuda-11.8pkg:apk/chainguard/py3.10-wheels-vllm-cuda-11.8pkg:apk/chainguard/py3.11-aiohttppkg:apk/chainguard/py3.12-aiohttppkg:apk/chainguard/py3.13-aiohttppkg:apk/chainguard/py3-aiohttppkg:apk/chainguard/py3-supported-aiohttppkg:apk/wolfi/airflowpkg:apk/wolfi/airflow-bitnami-compatpkg:apk/wolfi/airflow-compatpkg:apk/wolfi/checkovpkg:apk/wolfi/py3.10-aiohttppkg:apk/wolfi/py3.11-aiohttppkg:apk/wolfi/py3.12-aiohttppkg:apk/wolfi/py3.13-aiohttppkg:apk/wolfi/py3-aiohttppkg:apk/wolfi/py3-supported-aiohttppkg:pypi/aiohttppkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Tumbleweed
< 2.10.3-r2+ 23 more
- (no CPE)range: < 2.10.3-r2
- (no CPE)range: < 2.10.3-r2
- (no CPE)range: < 2.10.3-r2
- (no CPE)range: < 3.2.432-r0
- (no CPE)range: < 3.10.11-r0
- (no CPE)range: < 0.6.5-r0
- (no CPE)range: < 0.6.5-r0
- (no CPE)range: < 3.10.11-r0
- (no CPE)range: < 3.10.11-r0
- (no CPE)range: < 3.10.11-r0
- (no CPE)range: < 3.10.11-r0
- (no CPE)range: < 3.10.11-r0
- (no CPE)range: < 2.10.3-r2
- (no CPE)range: < 2.10.3-r2
- (no CPE)range: < 2.10.3-r2
- (no CPE)range: < 3.2.432-r0
- (no CPE)range: < 3.10.11-r0
- (no CPE)range: < 3.10.11-r0
- (no CPE)range: < 3.10.11-r0
- (no CPE)range: < 3.10.11-r0
- (no CPE)range: < 3.10.11-r0
- (no CPE)range: < 3.10.11-r0
- (no CPE)range: >= 3.10.6, < 3.10.11
- (no CPE)range: < 3.11.9-1.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-27mf-ghqm-j3j8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-52303ghsaADVISORY
- github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936ghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/security/advisories/GHSA-27mf-ghqm-j3j8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.