Memory Leak in Aiohttp Framework via MatchInfoError Causes Server Risk

CVE-2024-52303

What is CVE-2024-52303?

Aiohttp, an asynchronous HTTP client/server framework for asyncio in Python, is vulnerable to a memory leak in versions from 3.10.6 to 3.10.10. This issue is triggered when a request results in a MatchInfoError, leading to the creation of unique cache entries for each error. An attacker could exploit this flaw by sending a large volume of requests, potentially exhausting server memory resources. Upgrading to version 3.10.11 is essential for users of aiohttp.web with any middlewares implemented in order to mitigate this risk.

References