Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/360792?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360792?format=api", "vulnerability_id": "VCID-gk1r-ur2p-mqfn", "summary": "pycares has a Use-After-Free Vulnerability\n## Summary\n\npycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash.\n\n## Details\n\n### Root Cause\n\nThe vulnerability stems from improper handling of callback references when the Channel object is destroyed:\n\n1. When a DNS query is initiated, pycares stores a callback reference using `ffi.new_handle()`\n2. If the Channel object is garbage collected while queries are pending, the callback references become invalid\n3. When c-ares attempts to invoke the callback, it accesses freed memory, causing a fatal error\n\nThis issue was much more likely to occur when using `event_thread=True` but could happen without it under the right circumstances.\n\n### Technical Details\n\nThe core issue is a race condition between Python's garbage collector and c-ares's callback execution:\n\n1. When `__del__` is called from within a c-ares callback context, we cannot immediately call `ares_destroy()` because c-ares is still executing code after the callback returns\n2. c-ares needs to execute cleanup code after our Python callback returns (specifically at lines 1422-1429 in ares_process.c)\n3. If we destroy the channel too quickly, c-ares accesses freed memory\n\n### Impact\n\nApplications using `pycares` can be crashed remotely by triggering DNS queries that result in `Channel` objects being garbage collected before query completion. This is particularly problematic in scenarios where:\n\n- Channel objects are created per-request\n- Multiple failed DNS queries are processed rapidly\n- The application doesn't properly manage Channel lifecycle\n\nThe error manifests as:\n```\nFatal Python error: b_from_handle: ffi.from_handle() detected that the address passed points to garbage\n```\n\n## Fix\n\nThe vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism\n\n## Mitigation\n\n### For Application Developers\n\n1. **Upgrade to pycares >= 4.9.0** - This version includes the fix and requires no code changes\n2. **Best practices** (optional but recommended):\n ```python\n # Explicit cleanup\n channel.close()\n \n # Or use context manager\n with pycares.Channel() as channel:\n # ... use channel ...\n # Automatically closed\n ```\n3. **Avoid creating Channel objects per-request** - Prefer long-lived instances for better performance and safety\n\nThe fix is completely transparent - no API changes or code modifications are required.\n\n## Credit\n\nThis vulnerability was reported by @vEpiphyte through the aio-libs security program.", "aliases": [ { "alias": "GHSA-5qpg-rh4j-qp35" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378756?format=api", "purl": "pkg:pypi/pycares@4.9.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.9.0" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/809326?format=api", "purl": "pkg:pypi/pycares@0.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.1.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809327?format=api", "purl": "pkg:pypi/pycares@0.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.2.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809328?format=api", "purl": "pkg:pypi/pycares@0.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.3.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809329?format=api", "purl": "pkg:pypi/pycares@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809330?format=api", "purl": "pkg:pypi/pycares@0.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.5.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809331?format=api", "purl": "pkg:pypi/pycares@0.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.6.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809332?format=api", "purl": "pkg:pypi/pycares@0.6.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.6.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/809333?format=api", "purl": "pkg:pypi/pycares@0.6.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.6.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/809334?format=api", "purl": "pkg:pypi/pycares@0.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.6.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/809335?format=api", "purl": "pkg:pypi/pycares@0.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.7.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809336?format=api", "purl": "pkg:pypi/pycares@1.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@1.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809337?format=api", "purl": "pkg:pypi/pycares@2.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809338?format=api", "purl": "pkg:pypi/pycares@2.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.0.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/809339?format=api", "purl": "pkg:pypi/pycares@2.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.1.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809340?format=api", "purl": "pkg:pypi/pycares@2.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/809341?format=api", "purl": "pkg:pypi/pycares@2.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.2.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809342?format=api", "purl": "pkg:pypi/pycares@2.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.3.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809343?format=api", "purl": "pkg:pypi/pycares@2.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809344?format=api", "purl": "pkg:pypi/pycares@3.0.0b0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0b0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809345?format=api", "purl": "pkg:pypi/pycares@3.0.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/809346?format=api", "purl": "pkg:pypi/pycares@3.0.0b2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0b2" }, { "url": "http://public2.vulnerablecode.io/api/packages/809347?format=api", "purl": "pkg:pypi/pycares@3.0.0b3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0b3" }, { "url": "http://public2.vulnerablecode.io/api/packages/809348?format=api", "purl": "pkg:pypi/pycares@3.0.0b4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0b4" }, { "url": "http://public2.vulnerablecode.io/api/packages/809349?format=api", "purl": "pkg:pypi/pycares@3.0.0b5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0b5" }, { "url": "http://public2.vulnerablecode.io/api/packages/809350?format=api", "purl": "pkg:pypi/pycares@3.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809351?format=api", "purl": "pkg:pypi/pycares@3.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.1.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809352?format=api", "purl": "pkg:pypi/pycares@3.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/809353?format=api", "purl": "pkg:pypi/pycares@3.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.2.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809354?format=api", "purl": "pkg:pypi/pycares@3.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/809355?format=api", "purl": "pkg:pypi/pycares@4.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809356?format=api", "purl": "pkg:pypi/pycares@4.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/809357?format=api", "purl": "pkg:pypi/pycares@4.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7v8-v98m-1bb4" }, { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.1.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/25221?format=api", "purl": "pkg:pypi/pycares@4.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.2.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809358?format=api", "purl": "pkg:pypi/pycares@4.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.2.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/809359?format=api", "purl": "pkg:pypi/pycares@4.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/809360?format=api", "purl": "pkg:pypi/pycares@4.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.3.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809361?format=api", "purl": "pkg:pypi/pycares@4.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809362?format=api", "purl": "pkg:pypi/pycares@4.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.5.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809363?format=api", "purl": "pkg:pypi/pycares@4.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.6.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809364?format=api", "purl": "pkg:pypi/pycares@4.6.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.6.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/809365?format=api", "purl": "pkg:pypi/pycares@4.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.7.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/809366?format=api", "purl": "pkg:pypi/pycares@4.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gk1r-ur2p-mqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.8.0" } ], "references": [ { "reference_url": "https://github.com/saghul/pycares", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/saghul/pycares" }, { "reference_url": "https://github.com/advisories/GHSA-5qpg-rh4j-qp35", "reference_id": "GHSA-5qpg-rh4j-qp35", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5qpg-rh4j-qp35" }, { "reference_url": "https://github.com/saghul/pycares/security/advisories/GHSA-5qpg-rh4j-qp35", "reference_id": "GHSA-5qpg-rh4j-qp35", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/saghul/pycares/security/advisories/GHSA-5qpg-rh4j-qp35" } ], "weaknesses": [ { "cwe_id": 416, "name": "Use After Free", "description": "Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "4.0 - 6.9", "exploitability": "0.5", "weighted_severity": "6.2", "risk_score": 3.1, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gk1r-ur2p-mqfn" }