Описание
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3.
A flaw was found in aiohttp, an asynchronous HTTP client/server framework for Python. A remote attacker could exploit this vulnerability by sending a specially crafted POST request to an application using the Request.post() method, provided that Python optimizations are enabled. This could lead to an infinite loop, resulting in a Denial of Service (DoS) attack, making the affected application unavailable.
Отчет
This vulnerability is rated Moderate for Red Hat products as it can lead to a Denial of Service (DoS) in applications utilizing the aiohttp library. Exploitation requires Python optimizations to be explicitly enabled (e.g., via -O or PYTHONOPTIMIZE=1) and the application to process POST requests using the Request.post() method. Red Hat products are affected if they meet these specific configuration and usage criteria.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Containers | rhmtc/openshift-migration-hook-runner-rhel8 | Affected | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-ocp-rag-rhel9 | Affected | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-service-api-rhel9 | Affected | ||
| OpenShift Lightspeed | openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/grafana-rhel8 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-cni-rhel8 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-must-gather-rhel9 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-operator-bundle | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-rhel8-operator | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/pilot-rhel8 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...
EPSS
7.5 High
CVSS3