GHSA-5qpg-rh4j-qp35: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-5qpg-rh4j-qp35) affects pycares, a Python library for DNS resolution, where a use-after-free condition occurs when a Channel object is garbage collected while DNS queries are still pending. The issue was discovered and disclosed on June 16, 2025, affecting versions <= 4.8.0, with version 4.9.0 containing the fix. The vulnerability is classified as moderate severity and is tracked as CVE-2025-48945 (GitHub Advisory).

The vulnerability stems from a race condition between Python's garbage collector and c-ares's callback execution. When a DNS query is initiated, pycares stores a callback reference using ffi.newhandle(). If the Channel object is garbage collected while queries are pending, the callback references become invalid, and when c-ares attempts to invoke the callback, it accesses freed memory. The issue occurs specifically when _del_ is called within a c-ares callback context, as c-ares needs to execute cleanup code after the Python callback returns. This problem is particularly prevalent when using eventthread=True (GitHub Advisory).

Applications using pycares can be crashed remotely by triggering DNS queries that result in Channel objects being garbage collected before query completion. This is particularly problematic in scenarios where Channel objects are created per-request, multiple failed DNS queries are processed rapidly, or the application doesn't properly manage Channel lifecycle. The error manifests as a fatal Python error with the message 'bfromhandle: ffi.from_handle() detected that the address passed points to garbage' (GitHub Advisory).

The primary mitigation is to upgrade to pycares >= 4.9.0, which implements a safe channel destruction mechanism. Best practices include using explicit cleanup with channel.close(), utilizing the context manager pattern, and avoiding the creation of Channel objects per-request. It's recommended to use long-lived instances for better performance and safety. The fix includes a channel destruction mechanism with a limited throughput of 60 channels per minute to ensure thread safety (GitHub Advisory, GitHub Commit).