CVE-2024-12254: Unbounded memory buffering in SelectorSocketTransport.writelines()

8.7 CVSS

Description

Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()
method would not "pause" writing and signal to the Protocol to drain
the buffer to the wire once the write buffer reached the "high-water
mark". Because of this, Protocols would not periodically drain the write
buffer potentially leading to memory exhaustion.

This
vulnerability likely impacts a small number of users, you must be using
Python 3.12.0 or later, on macOS or Linux, using the asyncio module
with protocols, and using .writelines() method which had new
zero-copy-on-write behavior in Python 3.12.0 and later. If not all of
these factors are true then your usage of Python is unaffected.

Classification

CVE ID: CVE-2024-12254

CVSS Base Severity: HIGH

CVSS Base Score: 8.7

Affected Products

Vendor: Python Software Foundation

Product: CPython

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.38% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/python/cpython/issues/127655
https://github.com/python/cpython/pull/127656
https://mail.python.org/archives/list/[email protected]/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/
https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82
https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5

Timeline

2024-12-07 00:31:04 UTC
CVE

Unbounded memory buffering in SelectorSocketTransport.writelines()