Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-12254

HIGH
Published 2024-12-06T15:19:41.576Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-12254. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
7.5
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.001
probability
of exploitation in the wild

There is a 0.1% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.316
Higher than 31.6% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
NONE
Integrity
NONE
Availability
HIGH

Description

Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()
method would not "pause" writing and signal to the Protocol to drain
the buffer to the wire once the write buffer reached the "high-water
mark". Because of this, Protocols would not periodically drain the write
buffer potentially leading to memory exhaustion.

This
vulnerability likely impacts a small number of users, you must be using
Python 3.12.0 or later, on macOS or Linux, using the asyncio module
with protocols, and using .writelines() method which had new
zero-copy-on-write behavior in Python 3.12.0 and later. If not all of
these factors are true then your usage of Python is unaffected.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Python Software Foundation

CPython

Affected Versions:

3.12.0 3.13.0 3.14.0a1
python_software_foundation

cpython

Affected Versions:

3.12.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed HIGH

GHSA-ph84-rcj2-fxxm

Advisory Details

Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-12254
WEB https://github.com/python/cpython/issues/127655
WEB https://github.com/python/cpython/pull/127656
WEB https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82
WEB https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5
WEB https://github.com/python/cpython/commit/e991ac8f2037d78140e417cc9a9486223eb3e786
WEB https://mail.python.org/archives/list/[email protected]/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB
WEB https://security.netapp.com/advisory/ntap-20250404-0010
WEB http://www.openwall.com/lists/oss-security/2024/12/06/1

Advisory provided by GitHub Security Advisory Database. Published: December 6, 2024, Modified: April 5, 2025

References

https://github.com/python/cpython/issues/127655
https://github.com/python/cpython/pull/127656
https://mail.python.org/archives/list/[email protected]/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/
https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82
https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5
https://github.com/python/cpython/commit/e991ac8f2037d78140e417cc9a9486223eb3e786
Published: 2024-12-06T15:19:41.576Z
Last Modified: 2025-04-04T23:03:00.653Z
Copied to clipboard!