CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-12254

Medium Severity
SVRS
36/100
CVSSv3
7.5/10
EPSS
0.00117/1

CVE-2024-12254 is a memory exhaustion vulnerability in Python's asyncio module. Specifically, the _SelectorSocketTransport.writelines() method fails to properly pause writing when the write buffer reaches its high-water mark, leading to potential memory issues. The asyncio module in Python versions 3.12.0 and later on macOS or Linux is affected if protocols use the .writelines() method. Although rated 7.5 by CVSS, SOCRadar's SVRS of 36 indicates a lower real-world risk. This is because the vulnerability's impact requires specific conditions, including using Python 3.12+, employing asyncio with protocols, and utilizing the .writelines() method with its new zero-copy-on-write behavior. Failure to manage the write buffer can lead to resource exhaustion, potentially crashing affected applications. Ensure you apply the available patch to mitigate the vulnerability.

TAGS
Vendor-advisory
Patch
Issue-tracking
In The Wild
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:N
UI:N
S:U
C:N
I:N
A:H
PUBLICATION DATE2024-12-06
LAST MODIFIED2025-02-03
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-12254 is a vulnerability affecting the asyncio._SelectorSocketTransport.writelines() method in Python 3.12.0 and later. The issue arises due to the method's failure to pause writing and signal the Protocol to drain the buffer to the wire once the write buffer reaches the "high-water mark." This oversight can lead to Protocols not periodically draining the write buffer, potentially resulting in memory exhaustion.

SVRS: This CVE has an SVRS score of 36, which signifies a moderate vulnerability. While not critical, it is still important to address this issue to prevent potential memory exhaustion and performance degradation.

Key Insights

  • Limited Impact: This vulnerability affects a specific subset of users using Python 3.12.0 or later on macOS or Linux with the asyncio module, protocols, and the writelines() method.
  • Memory Exhaustion Risk: The primary impact is the potential for memory exhaustion due to the failure of Protocols to drain the write buffer.
  • Zero-Copy-on-Write Behavior: The issue stems from the new zero-copy-on-write behavior introduced in Python 3.12.0 and later versions.
  • Potential for Exploitation: While the vulnerability is not actively exploited in the wild, its existence could be leveraged by attackers to cause denial-of-service attacks or potentially exploit memory vulnerabilities.

Mitigation Strategies

  • Upgrade Python Version: If using Python 3.12.0 or later, consider upgrading to the latest stable version, as it may include patches for this vulnerability.
  • Update the asyncio Module: If upgrading to a newer Python version is not feasible, updating the asyncio module to the latest version may address the issue.
  • Implement Buffer Monitoring: Implement monitoring mechanisms to track the size of the write buffer and trigger alerts if it exceeds acceptable thresholds.
  • Review and Update Protocols: Thoroughly review and update your existing protocols to ensure they handle write buffer management effectively.

Additional Information

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

CVE-2024-12254 | Python Software CPython up to 3.14.0a0 asyncio._SelectorSocketTransport.writelines resource consumption (Nessus ID 212208)
vuldb.com2025-02-01
CVE-2024-12254 | Python Software CPython up to 3.14.0a0 asyncio._SelectorSocketTransport.writelines resource consumption (Nessus ID 212208) | A vulnerability was found in Python Software CPython up to 3.14.0a0. It has been classified as problematic. Affected is the function asyncio._SelectorSocketTransport.writelines. The manipulation leads to resource consumption. This vulnerability is traded as CVE-2024-12254. It is possible to launch the attack remotely. There is no
vuldb.com
rss
forum
news
⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips
Ajit Jasrotia2024-12-16
⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips | This past week has been packed with unsettling developments in the world of cybersecurity. From silent but serious attacks on popular business tools to unexpected flaws lurking in everyday devices, there’s a lot that might have flown under your radar. Attackers are adapting old tricks, uncovering new ones, and targeting systems both large and small. […] The post ⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips appeared first on
allhackernews.com
rss
forum
news
Critical Vulnerability in Python Affected MacOS or Linux Leads to Exploiting The Memory
Balaji N2024-12-10
Critical Vulnerability in Python Affected MacOS or Linux Leads to Exploiting The Memory | A high-severity vulnerability (CVE-2024-12254) impacting CPython has been publicly disclosed, affecting Python versions 3.12.0 and later. The flaw, identified in the asyncio module, specifically lies in the _SelectorSocketTransport.writelines() method, potentially leading to memory exhaustion under certain conditions. Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar Overview of the Vulnerability The […] The post Critical Vulnerability in
cybersecuritynews.com
rss
forum
news
Fwd: [Security-announce][CVE-2024-12254] Unbounded memory buffering in SelectorSocketTransport.writelines()
2024-12-06
Fwd: [Security-announce][CVE-2024-12254] Unbounded memory buffering in SelectorSocketTransport.writelines() | Posted by Alan Coopersmith on Dec 06-------- Forwarded Message -------- Subject: [Security-announce][CVE-2024-12254] Unbounded memory buffering in SelectorSocketTransport.writelines() Date: Fri, 6 Dec 2024 09:15:28 -0600 From: Seth Larson Reply-To: security-sig () python org To: security-announce () python org There is a HIGH severity vulnerability affecting CPython.
seclists.org
rss
forum
news
CVE-2024-12254 | Python Software CPython up to 3.14.0a0 asyncio._SelectorSocketTransport.writelines resource consumption
vuldb.com2024-12-06
CVE-2024-12254 | Python Software CPython up to 3.14.0a0 asyncio._SelectorSocketTransport.writelines resource consumption | A vulnerability was found in Python Software CPython up to 3.14.0a0. It has been classified as problematic. Affected is the function asyncio._SelectorSocketTransport.writelines. The manipulation leads to resource consumption. This vulnerability is traded as CVE-2024-12254. It is possible to launch the attack remotely. There is no exploit available. It
vuldb.com
rss
forum
news

Social Media

CVE-2024-12254 vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() https://t.co/f2BdZQ9kEY
0
0
0
CVE-2024-12254 Is a good reminder that the python async write API is bad design. Even in the stdlib people forget to drain.
1
0
4
@SeraphNova @yacineMTB By the way, at the moment there is a related vulnerability (CVE-2024-12254) affecting all 3.12.0+. They forgot to drain a write buffer ..
1
0
4

Affected Software

No affected software found for this CVE

References

ReferenceLink
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2024/12/06/1
[email protected]https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82
[email protected]https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5
[email protected]https://github.com/python/cpython/issues/127655
[email protected]https://github.com/python/cpython/pull/127656
[email protected]https://mail.python.org/archives/list/[email protected]/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2024/12/06/1
[email protected]https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82
[email protected]https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5
[email protected]https://github.com/python/cpython/commit/e991ac8f2037d78140e417cc9a9486223eb3e786
[email protected]https://github.com/python/cpython/issues/127655
[email protected]https://github.com/python/cpython/pull/127656
[email protected]https://mail.python.org/archives/list/[email protected]/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/
GITHUBhttps://github.com/python/cpython/pull/127656
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2024/12/06/1
[email protected]https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82
[email protected]https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5
[email protected]https://github.com/python/cpython/commit/e991ac8f2037d78140e417cc9a9486223eb3e786
[email protected]https://github.com/python/cpython/issues/127655
[email protected]https://github.com/python/cpython/pull/127656
[email protected]https://mail.python.org/archives/list/[email protected]/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/

CWE Details

CWE IDCWE NameDescription
CWE-770Allocation of Resources Without Limits or ThrottlingThe software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
CWE-400Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence