Use-After-Free Vulnerability in pycares Python Module by Pycares
CVE-2025-48945

8.2HIGH

Key Information:

Vendor: Aio-libs
Status: Aiodns
Vendor: CVE Published:; 20 June 2025

What is CVE-2025-48945?

The pycares Python module, which interacts with the C library c-ares for asynchronous DNS requests, is susceptible to a use-after-free vulnerability. This issue arises when a Channel object is garbage collected while there are still pending DNS queries. As a result, this could lead to a fatal error in Python and cause the interpreter to crash. The vulnerability has been addressed in pycares version 4.9.0, which introduces a mechanism for safe channel destruction, eliminating this risk.

Affected Version(s)

aiodns < 4.9.0

References

https://github.com/saghul/pycares/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/saghul/pycares/security/advisories/GHS...

x_refsource_MISC

https://github.com/aio-libs/aiodns/commit/f259a6e36505551...

x_refsource_MISC

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2025
Vulnerability Reserved
May 28, 2025

Aio-libs

What is CVE-2025-48945?

Affected Version(s)

References

CVSS V4

Timeline