cve/2024/CVE-2024-12254.md

### [CVE-2024-12254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12254)
![](https://img.shields.io/static/v1?label=Product&message=CPython&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=3.12.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=3.13.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=3.14.0a1%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-400%20Uncontrolled%20Resource%20Consumption&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-770%20Allocation%20of%20Resources%20Without%20Limits%20or%20Throttling&color=brightgreen)

### Description

Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion.This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.

### POC

#### Reference
- https://github.com/python/cpython/pull/127656

#### Github
- https://github.com/GitHubForSnap/matrix-commander-gael
- https://github.com/adegoodyer/kubernetes-admin-toolkit
- https://github.com/bygregonline/devsec-fastapi-report
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`### [CVE-2024-12254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12254)`
			`![](https://img.shields.io/static/v1?label=Product&message=CPython&color=blue)`
Update CVE list 2025-09-29 21:09 2025-09-29 21:09:30 +02:00			`![](https://img.shields.io/static/v1?label=Version&message=3.12.0%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=3.13.0%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=3.14.0a1%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-400%20Uncontrolled%20Resource%20Consumption&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-770%20Allocation%20of%20Resources%20Without%20Limits%20or%20Throttling&color=brightgreen)`
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00
			`### Description`

			Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion.This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.

			`### POC`

			`#### Reference`
Update CVE list 2025-09-29 21:09 2025-09-29 21:09:30 +02:00			`- https://github.com/python/cpython/pull/127656`
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00
			`#### Github`
			`- https://github.com/GitHubForSnap/matrix-commander-gael`
			`- https://github.com/adegoodyer/kubernetes-admin-toolkit`
			`- https://github.com/bygregonline/devsec-fastapi-report`