QwikSec

Security Database

CVE

CWE

Training

CVE-2024-12254

Published: Dec 6, 2024

Modified: Apr 4, 2025

PUBLISHED

Description

Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.

Vendor	Product	Versions
Python Software Foundation	CPython	affected `3.12.0 - < 3.12.9` affected `3.13.0 - < 3.13.2` affected `3.14.0a1 - < 3.14.0a3`

Weaknesses (CWE)

References

https://github.com/python/cpython/issues/127655

issue-tracking

https://github.com/python/cpython/pull/127656

patch

https://mail.python.org/archives/list/[email protected]/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/

vendor-advisory

https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82

patch

https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5

patch

https://github.com/python/cpython/commit/e991ac8f2037d78140e417cc9a9486223eb3e786

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.