{"id":"BIT-python-min-2024-12254","summary":"Unbounded memory buffering in SelectorSocketTransport.writelines()","details":"Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()\n method would not \"pause\" writing and signal to the Protocol to drain \nthe buffer to the wire once the write buffer reached the \"high-water \nmark\". Because of this, Protocols would not periodically drain the write\n buffer potentially leading to memory exhaustion.\n\n\n\n\n\nThis\n vulnerability likely impacts a small number of users, you must be using\n Python 3.12.0 or later, on macOS or Linux, using the asyncio module \nwith protocols, and using .writelines() method which had new \nzero-copy-on-write behavior in Python 3.12.0 and later. If not all of \nthese factors are true then your usage of Python is unaffected.","aliases":["BIT-libpython-2024-12254","BIT-python-2024-12254","CVE-2024-12254","PSF-2024-14"],"modified":"2025-08-11T15:13:34.080710Z","published":"2025-02-06T12:33:16.877Z","database_specific":{"severity":"High","cpes":["cpe:2.3:a:python:python:*:*:*:*:*:*:*:*"]},"references":[{"type":"WEB","url":"https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82"},{"type":"WEB","url":"https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5"},{"type":"WEB","url":"https://github.com/python/cpython/commit/e991ac8f2037d78140e417cc9a9486223eb3e786"},{"type":"WEB","url":"https://github.com/python/cpython/issues/127655"},{"type":"WEB","url":"https://github.com/python/cpython/pull/127656"},{"type":"WEB","url":"https://mail.python.org/archives/list/security-announce@python.org/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/12/06/1"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12254"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20250404-0010/"}],"affected":[{"package":{"name":"python-min","ecosystem":"Bitnami","purl":"pkg:bitnami/python-min"},"ranges":[{"type":"SEMVER","events":[{"introduced":"3.12.0"},{"fixed":"3.12.9"},{"introduced":"3.13.0"},{"fixed":"3.13.2"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/python-min/BIT-python-min-2024-12254.json"},"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}],"schema_version":"1.7.3"}