CVE-2024-30251Infinite Loop in Aiohttp

CWE-835Infinite Loop11 documents9 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 41.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Aio-libs AiohttpAiohttp
Timeline
PublishedMay 2
Latest updateJul 17

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. Users are advised to upgrade. Users unable to upgrade may m

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDaiohttp/aiohttp< 3.9.4
PyPIaiohttp/aiohttp< 3.9.4
CVEListV5aio-libs/aiohttp< 3.9.4

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
python-aiohttp vulnerabilities2025-07-17
OSV
aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests2024-05-03
GHSA
aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests2024-05-03
CVEList
Denial of service when trying to parse malformed POST requests in aiohttp2024-05-02
OSV
CVE-2024-30251: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python2024-05-02

📋Vendor Advisories

5
Ubuntu
AIOHTTP vulnerabilities2025-07-17
Oracle
Oracle Oracle Communications Risk Matrix: Probe (AIOHTTP) — CVE-2024-302512024-10-15
Microsoft
Denial of service when trying to parse malformed POST requests in aiohttp2024-05-14
Red Hat
aiohttp: DoS when trying to parse malformed POST requests2024-05-02
Debian
CVE-2024-30251: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ...2024
CVE-2024-30251 — Infinite Loop in Aio-libs Aiohttp | cvebase