HIGH 7.5

GHSA-27mf-ghqm-j3j8

aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method

상세

### Summary

A memory leak can occur when a request produces a `MatchInfoError`. This was caused by adding an entry to a cache on each request, due to the building of each `MatchInfoError` producing a unique cache entry.

### Impact

If the user is making use of any middlewares with `aiohttp.web` then it is advisable to upgrade immediately.

An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / aiohttp

최초 영향 버전: 3.10.6 수정 버전: 3.10.11

수정 pip install --upgrade 'aiohttp>=3.10.11'

참고

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-27mf-ghqm-j3j8 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2024-52303 [ADVISORY]
https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936 [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]