CVE-2024-52303: 
Wolfi vulnerability analysis and mitigation

aiohttp, an asynchronous HTTP client/server framework for asyncio and Python, contains a memory leak vulnerability (CVE-2024-52303) in versions starting with 3.10.6 and prior to 3.10.11. The vulnerability was discovered and disclosed on November 18, 2024, affecting systems using middlewares with aiohttp.web (GitHub Advisory).

The vulnerability occurs when a request produces a MatchInfoError, causing a memory leak by adding an entry to a cache on each request. This happens because the building of each MatchInfoError produces a unique cache entry. The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

An attacker can potentially exhaust the memory resources of a server by sending a substantial number (hundreds of thousands to millions) of requests that trigger the MatchInfoError condition. This can lead to a denial-of-service condition affecting the availability of the server (GitHub Advisory).

Users who utilize any middlewares with aiohttp.web should upgrade to version 3.10.11, which contains the patch for this vulnerability. The fix was implemented in commit bc15db6 to prevent system routes from polluting the middleware cache (GitHub Commit).