cve/2024/CVE-2024-52303.md

### [CVE-2024-52303](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52303)
![](https://img.shields.io/static/v1?label=Product&message=aiohttp&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%203.10.6%2C%20%3C%203.10.11%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=3.10.6%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-772%3A%20Missing%20Release%20of%20Resource%20after%20Effective%20Lifetime&color=brightgreen)

### Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. Those who use any middlewares with aiohttp.web should upgrade to version 3.10.11 to receive a patch.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/haiyen11231/automation-tool-for-patch-backporting