{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360792?format=json","vulnerability_id":"VCID-gk1r-ur2p-mqfn","summary":"pycares has a Use-After-Free Vulnerability\n## Summary\n\npycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash.\n\n## Details\n\n### Root Cause\n\nThe vulnerability stems from improper handling of callback references when the Channel object is destroyed:\n\n1. When a DNS query is initiated, pycares stores a callback reference using `ffi.new_handle()`\n2. If the Channel object is garbage collected while queries are pending, the callback references become invalid\n3. When c-ares attempts to invoke the callback, it accesses freed memory, causing a fatal error\n\nThis issue was much more likely to occur when using `event_thread=True` but could happen without it under the right circumstances.\n\n### Technical Details\n\nThe core issue is a race condition between Python's garbage collector and c-ares's callback execution:\n\n1. When `__del__` is called from within a c-ares callback context, we cannot immediately call `ares_destroy()` because c-ares is still executing code after the callback returns\n2. c-ares needs to execute cleanup code after our Python callback returns (specifically at lines 1422-1429 in ares_process.c)\n3. If we destroy the channel too quickly, c-ares accesses freed memory\n\n### Impact\n\nApplications using `pycares` can be crashed remotely by triggering DNS queries that result in `Channel` objects being garbage collected before query completion. This is particularly problematic in scenarios where:\n\n- Channel objects are created per-request\n- Multiple failed DNS queries are processed rapidly\n- The application doesn't properly manage Channel lifecycle\n\nThe error manifests as:\n```\nFatal Python error: b_from_handle: ffi.from_handle() detected that the address passed points to garbage\n```\n\n## Fix\n\nThe vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism\n\n## Mitigation\n\n### For Application Developers\n\n1. **Upgrade to pycares >= 4.9.0** - This version includes the fix and requires no code changes\n2. **Best practices** (optional but recommended):\n   ```python\n   # Explicit cleanup\n   channel.close()\n   \n   # Or use context manager\n   with pycares.Channel() as channel:\n       # ... use channel ...\n   # Automatically closed\n   ```\n3. **Avoid creating Channel objects per-request** - Prefer long-lived instances for better performance and safety\n\nThe fix is completely transparent - no API changes or code modifications are required.\n\n## Credit\n\nThis vulnerability was reported by @vEpiphyte through the aio-libs security program.","aliases":[{"alias":"GHSA-5qpg-rh4j-qp35"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378756?format=json","purl":"pkg:pypi/pycares@4.9.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.9.0"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/809326?format=json","purl":"pkg:pypi/pycares@0.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809327?format=json","purl":"pkg:pypi/pycares@0.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809328?format=json","purl":"pkg:pypi/pycares@0.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809329?format=json","purl":"pkg:pypi/pycares@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809330?format=json","purl":"pkg:pypi/pycares@0.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.5.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809331?format=json","purl":"pkg:pypi/pycares@0.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.6.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809332?format=json","purl":"pkg:pypi/pycares@0.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.6.1"},{"url":"http://public2.vulnerablecode.io/api/packages/809333?format=json","purl":"pkg:pypi/pycares@0.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.6.2"},{"url":"http://public2.vulnerablecode.io/api/packages/809334?format=json","purl":"pkg:pypi/pycares@0.6.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.6.3"},{"url":"http://public2.vulnerablecode.io/api/packages/809335?format=json","purl":"pkg:pypi/pycares@0.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@0.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809336?format=json","purl":"pkg:pypi/pycares@1.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@1.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809337?format=json","purl":"pkg:pypi/pycares@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809338?format=json","purl":"pkg:pypi/pycares@2.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/809339?format=json","purl":"pkg:pypi/pycares@2.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809340?format=json","purl":"pkg:pypi/pycares@2.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/809341?format=json","purl":"pkg:pypi/pycares@2.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809342?format=json","purl":"pkg:pypi/pycares@2.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809343?format=json","purl":"pkg:pypi/pycares@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@2.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809344?format=json","purl":"pkg:pypi/pycares@3.0.0b0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0b0"},{"url":"http://public2.vulnerablecode.io/api/packages/809345?format=json","purl":"pkg:pypi/pycares@3.0.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/809346?format=json","purl":"pkg:pypi/pycares@3.0.0b2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0b2"},{"url":"http://public2.vulnerablecode.io/api/packages/809347?format=json","purl":"pkg:pypi/pycares@3.0.0b3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0b3"},{"url":"http://public2.vulnerablecode.io/api/packages/809348?format=json","purl":"pkg:pypi/pycares@3.0.0b4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0b4"},{"url":"http://public2.vulnerablecode.io/api/packages/809349?format=json","purl":"pkg:pypi/pycares@3.0.0b5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0b5"},{"url":"http://public2.vulnerablecode.io/api/packages/809350?format=json","purl":"pkg:pypi/pycares@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809351?format=json","purl":"pkg:pypi/pycares@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809352?format=json","purl":"pkg:pypi/pycares@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/809353?format=json","purl":"pkg:pypi/pycares@3.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809354?format=json","purl":"pkg:pypi/pycares@3.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@3.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/809355?format=json","purl":"pkg:pypi/pycares@4.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809356?format=json","purl":"pkg:pypi/pycares@4.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/809357?format=json","purl":"pkg:pypi/pycares@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c7v8-v98m-1bb4"},{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.1.2"},{"url":"http://public2.vulnerablecode.io/api/packages/25221?format=json","purl":"pkg:pypi/pycares@4.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809358?format=json","purl":"pkg:pypi/pycares@4.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.2.1"},{"url":"http://public2.vulnerablecode.io/api/packages/809359?format=json","purl":"pkg:pypi/pycares@4.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/809360?format=json","purl":"pkg:pypi/pycares@4.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809361?format=json","purl":"pkg:pypi/pycares@4.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809362?format=json","purl":"pkg:pypi/pycares@4.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.5.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809363?format=json","purl":"pkg:pypi/pycares@4.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.6.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809364?format=json","purl":"pkg:pypi/pycares@4.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.6.1"},{"url":"http://public2.vulnerablecode.io/api/packages/809365?format=json","purl":"pkg:pypi/pycares@4.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/809366?format=json","purl":"pkg:pypi/pycares@4.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gk1r-ur2p-mqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pycares@4.8.0"}],"references":[{"reference_url":"https://github.com/saghul/pycares","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/saghul/pycares"},{"reference_url":"https://github.com/advisories/GHSA-5qpg-rh4j-qp35","reference_id":"GHSA-5qpg-rh4j-qp35","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5qpg-rh4j-qp35"},{"reference_url":"https://github.com/saghul/pycares/security/advisories/GHSA-5qpg-rh4j-qp35","reference_id":"GHSA-5qpg-rh4j-qp35","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/saghul/pycares/security/advisories/GHSA-5qpg-rh4j-qp35"}],"weaknesses":[{"cwe_id":416,"name":"Use After Free","description":"Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gk1r-ur2p-mqfn"}