HIGH 7.5

GHSA-27mf-ghqm-j3j8

aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method

Details

### Summary

A memory leak can occur when a request produces a `MatchInfoError`. This was caused by adding an entry to a cache on each request, due to the building of each `MatchInfoError` producing a unique cache entry.

### Impact

If the user is making use of any middlewares with `aiohttp.web` then it is advisable to upgrade immediately.

An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiohttp

Introduced in: 3.10.6 Fixed in: 3.10.11

Fix pip install --upgrade 'aiohttp>=3.10.11'

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-27mf-ghqm-j3j8 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2024-52303 [ADVISORY]
https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936 [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]