MEDIUM

GHSA-g3cq-j2xw-wf74

aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup

상세

### Summary

During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk.

### Impact

An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case).

### Workaround

Disable compression if unable to upgrade.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/4f7480e474cccc6a8cc2c92ad3f17a31dedf8232

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / aiohttp

최초 영향 버전: 0 수정 버전: 3.14.1

수정 pip install --upgrade 'aiohttp>=3.14.1'

참고

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g3cq-j2xw-wf74 [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]