Race Condition Affecting uvicorn package, versions [,0.12.3)


Severity

0.0
medium
0
10

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-UVICORN-5812107
  • published 1 Aug 2023
  • disclosed 1 Aug 2023
  • credit Unknown

Introduced: 1 Aug 2023

CVE NOT AVAILABLE CWE-362 Open this link in a new tab

How to fix?

Upgrade uvicorn to version 0.12.3 or higher.

Overview

uvicorn is a lightning-fast ASGI server.

Affected versions of this package are vulnerable to Race Condition in the uvicorn/protocols/http component that leads Quart to hang with uvicorn. This vulnerability may allow an attacker to disrupt the server's response handling process under certain conditions, leading to potential Denial of Service (DoS) or other adverse impacts.

CVSS Scores

version 3.1
Expand this section

Snyk

5.9 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High