We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
Reserved 2024-12-05 | Published 2024-12-06 | Updated 2025-01-06 | Assigner PSFCWE-400 Uncontrolled Resource Consumption
CWE-770 Allocation of Resources Without Limits or Throttling
J. Nick Koston
Seth Larson
github.com/python/cpython/issues/127655
github.com/python/cpython/pull/127656
mail.python.org/.../thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/
github.com/...ommit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82
github.com/...ommit/9aa0deb2eef2655a1029ba228527b152353135b5
Support options