CVE-2024-52303Missing Release of Resource after Effective Lifetime in Aiohttp

CWE-772Missing Release of Resource after Effective Lifetime8 documents7 sources
Severity
8.7HIGHNVD
EPSS
0.4%
top 39.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
AiohttpAio-libs Aiohttp
Timeline
PublishedNov 18
Latest updateApr 15

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any mi

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDaiohttp/aiohttp3.10.63.10.11
PyPIaiohttp/aiohttp3.10.63.10.11
CVEListV5aio-libs/aiohttp>= 3.10.6, < 3.10.11

Patches

Patch: github.com

🔴Vulnerability Details

4
GHSA
aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method2024-11-18
OSV
aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method2024-11-18
CVEList
aiohttp memory leak when middleware is enabled when requesting a resource with a non-allowed method2024-11-18
OSV
CVE-2024-52303: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python2024-11-18

📋Vendor Advisories

3
Oracle
Oracle Oracle Communications Risk Matrix: Automated Test Suite (AIOHTTP) — CVE-2024-523032025-04-15
Red Hat
aiohttp: aiohttp memory leak when middleware is enabled when requesting a resource with a non-allowed method2024-11-18
Debian
CVE-2024-52303: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ...2024
CVE-2024-52303 — Aiohttp vulnerability | cvebase