Infinite Loop Vulnerability Affects aiohttp Server
CVE-2024-30251

7.5HIGH

Key Information:

Vendor

Aio-libs

Status
Aiohttp
Vendor
CVE Published:
2 May 2024

What is CVE-2024-30251?

Aiohttp, an asynchronous HTTP client/server framework for Python, is susceptible to an infinite loop vulnerability due to improper request handling. An attacker can exploit this flaw by sending a specially crafted POST (multipart/form-data) request to the server. Upon processing this request, the aiohttp server enters an infinite loop, which prevents it from handling any subsequent requests. This results in a denial of service, where legitimate users are unable to access the application. The issue has been remediated in version 3.9.4, and users are recommended to upgrade to this version. For those unable to update, manual patching is available, along with detailed instructions in the linked security advisory.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

aiohttp < 3.9.4

References

https://github.com/aio-libs/aiohttp/security/advisories/G...
x_refsource_CONFIRM
https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf0...
x_refsource_MISC
https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.