aiohttp memory leak when middleware is enabled when requesting a resource with a non-allowed method

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.

N/A

对已超过有效生命周期的资源丧失索引

aiohttp 安全漏洞

aiohttp是aio-libs开源的一个开源的用于 asyncio 和 Python 的异步 HTTP 客户端/服务器框架。 aiohttp 3.10.6版本至3.10.11之前版本存在安全漏洞，该漏洞源于存在内存泄漏，攻击者可能能够通过发送大量请求来耗尽服务器的内存资源。

N/A

N/A