CVE-2024-12254: CPython Flaw Could Lead to Memory Exhaustion in asyncio Applications
A high-severity vulnerability (CVE-2024-12254) has been discovered in CPython, the reference implementation of the Python programming language. This vulnerability, with a CVSSv4 score of 8.7, affects versions 3.12.0 and later and could potentially lead to memory exhaustion in applications using the asyncio module.
The vulnerability stems from an issue in the asyncio._SelectorSocketTransport.writelines() method. Under specific conditions, this method fails to “pause” writing and signal to the Protocol to drain the buffer to the wire when the buffer reaches its capacity. This can result in unbounded memory growth, potentially crashing the application or even the entire system.
While the vulnerability has been assigned a high severity score, its impact is likely limited. The vulnerability only affects applications running Python 3.12.0 or later on macOS or Linux systems. Furthermore, the application must utilize the asyncio module with protocols and employ the .writelines() method with the new zero-copy-on-write behavior introduced in Python 3.12.0.
Despite the limited impact, developers and system administrators are urged to assess their Python applications and determine if they are vulnerable. If the aforementioned conditions are met, updating to the latest version of Python is strongly recommended.
The vulnerability arises from a change in the behavior of the writelines() method in Python 3.12.0. Previously, this method would pause writing and signal the Protocol to drain the buffer once it reached a certain threshold. However, the new zero-copy-on-write behavior introduced in Python 3.12.0 inadvertently removed this “pause” mechanism.
As a result, the write buffer can grow indefinitely, consuming system memory until it is exhausted. This can lead to application crashes, denial of service, and potentially even system instability.
The Python development team has addressed this vulnerability in the latest releases of Python 3.12. Users are strongly encouraged to update their Python installations to the latest available version to mitigate this risk.
