CVE-2024-30251: aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.
References
- github.com/advisories/GHSA-5m98-qgg9-wh84
- github.com/aio-libs/aiohttp
- github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597
- github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19
- github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866
- github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84
- nvd.nist.gov/vuln/detail/CVE-2024-30251
Code Behaviors & Features
Detect and mitigate CVE-2024-30251 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →