Homepage

zeroconf@0.149.4

A pure python implementation of multicast DNS service discovery

  • latest version

    0.149.16

  • latest non vulnerable version

    0.149.16

  • first published

    11 years ago

  • latest version published

    22 days ago

  • licenses detected

  • View zeroconf package health on Snyk  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the zeroconf package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Allocation of Resources Without Limits or Throttling

    zeroconf is a Pure Python Multicast DNS Service Discovery Library (Bonjour/Avahi compatible)

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the AsyncListener.handle_query_or_defer() function. An attacker can exhaust system memory and degrade service availability by sending a flood of spoofed, truncated mDNS queries from unauthenticated hosts on the local network, causing unbounded queue growth and excessive CPU usage.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade zeroconf to version 0.149.12 or higher.

    [,0.149.12)
    • H
    Uncontrolled Recursion

    zeroconf is a Pure Python Multicast DNS Service Discovery Library (Bonjour/Avahi compatible)

    Affected versions of this package are vulnerable to Uncontrolled Recursion via the DNSIncoming._decode_labels_at_offset function. An attacker can cause excessive CPU consumption and log flooding by sending specially crafted mDNS packets with a long chain of unique forward compression pointers, leading to unbounded recursion and service degradation. This can be performed by any unauthenticated host on the local network segment using UDP/5353 multicast.

    How to fix Uncontrolled Recursion?

    Upgrade zeroconf to version 0.149.5 or higher.

    [,0.149.5)
    • H
    Allocation of Resources Without Limits or Throttling

    zeroconf is a Pure Python Multicast DNS Service Discovery Library (Bonjour/Avahi compatible)

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the DNSCache._async_add. Any unauthenticated host on the local link can exhaust system memory and degrade performance by sending a flood of multicast mDNS responses with unique names, causing unbounded growth in the DNS record cache and related data structures. This can lead to process termination or severe slowdowns, especially on memory-constrained systems.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade zeroconf to version 0.149.7 or higher.

    [,0.149.7)
    • H
    Allocation of Resources Without Limits or Throttling

    zeroconf is a Pure Python Multicast DNS Service Discovery Library (Bonjour/Avahi compatible)

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the DNSIncoming._log_exception_debug function and the exception-deduplication, which stores unbounded exception data in memory. An attacker can cause excessive memory consumption by sending a large number of uniquely malformed packets over the local network, leading to process termination due to out-of-memory conditions.

    Note: This is only exploitable if the attacker has access to the same local network segment as the vulnerable system.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade zeroconf to version 0.149.6 or higher.

    [,0.149.6)
    Go back to all versions of this package