CVE-2024-12254 — Uncontrolled Resource Consumption in Software Foundation Cpython

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling9 documents8 sources

Severity

8.7HIGHNVD

EPSS

0.2%

top 51.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython

Timeline

PublishedDec 6

Latest updateJan 20

Description

Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, …

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages1 packages

▶CVEListV5python_software_foundation/cpython3.12.0 — 3.12.9+2

🔴Vulnerability Details

OSV

CVE-2024-12254: Starting in Python 3↗2024-12-06

▶

GHSA

GHSA-ph84-rcj2-fxxm: Starting in Python 3↗2024-12-06

▶

CVEList

Unbounded memory buffering in SelectorSocketTransport.writelines()↗2024-12-06

▶

OSV

CVE-2024-12254: Starting in Python 3↗2024-12-06

▶

📋Vendor Advisories

Ubuntu

Python vulnerability↗2025-01-20

▶

Microsoft

Unbounded memory buffering in SelectorSocketTransport.writelines()↗2024-12-10

▶

Red Hat

python: Unbounded memory buffering in SelectorSocketTransport.writelines()↗2024-12-06

▶

Debian

CVE-2024-12254: python3.11 - Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() me...↗2024

▶