Race Condition Affecting anyio package, versions [,4.4.0)

Q: How to fix?

Upgrade anyio to version 4.4.0 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Race Condition vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PYTHON-ANYIO-7361842
published24 Jun 2024
disclosed1 Jun 2024
creditDaniel Robbins

Report a new vulnerability Found a mistake?

Introduced: 1 Jun 2024

CWE-362 (opens in a new tab)

How to fix?

Upgrade anyio to version 4.4.0 or higher.

Overview

anyio is a High level compatibility layer for multiple asynchronous event loop implementations

Affected versions of this package are vulnerable to Race Condition in _eventloop.get_asynclib() that cause crashes when multiple event loops of the same backend are running in separate threads and simultaneously attempting to use AnyIO for the first time.

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None