Infinite Loop Vulnerability Affects aiohttp Server
CVE-2024-30251

7.5HIGH

Key Information:

Vendor: Aio-libs
Status: Aiohttp
Vendor: CVE Published:; 2 May 2024

What is CVE-2024-30251?

Aiohttp, an asynchronous HTTP client/server framework for Python, is susceptible to an infinite loop vulnerability due to improper request handling. An attacker can exploit this flaw by sending a specially crafted POST (multipart/form-data) request to the server. Upon processing this request, the aiohttp server enters an infinite loop, which prevents it from handling any subsequent requests. This results in a denial of service, where legitimate users are unable to access the application. The issue has been remediated in version 3.9.4, and users are recommended to upgrade to this version. For those unable to update, manual patching is available, along with detailed instructions in the linked security advisory.

Affected Version(s)

aiohttp < 3.9.4

References

https://github.com/aio-libs/aiohttp/security/advisories/G...

x_refsource_CONFIRM

https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf0...

x_refsource_MISC

https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Mar 26, 2024

Aio-libs

What is CVE-2024-30251?

Affected Version(s)

References

CVSS V3.1

Timeline