DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-7M8F-HGJQ-8GC9: GHSA-7M8F-HGJQ-8GC9: Pre-Authentication Denial of Service via Insecure Deserialization Order in aiosend

#security #cve #cybersecurity #ghsa

GHSA-7M8F-HGJQ-8GC9: Pre-Authentication Denial of Service via Insecure Deserialization Order in aiosend

Vulnerability ID: GHSA-7M8F-HGJQ-8GC9
CVSS Score: 7.5
Published: 2026-05-22

The aiosend library prior to version 3.0.6 contains a pre-authentication Denial of Service (DoS) vulnerability in its webhook handling mechanism. The software processes and deserializes incoming JSON payloads before verifying the cryptographic signature, allowing unauthenticated attackers to exhaust server CPU and memory resources by sending large, complex payloads.

TL;DR

Pre-auth DoS in aiosend < 3.0.6 due to full Pydantic JSON deserialization occurring prior to HMAC signature verification on webhook endpoints.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Pre-auth Denial of Service (DoS)
  • CWE ID: CWE-400 (Uncontrolled Resource Consumption)
  • CVSS v3.1 Score: 7.5 (High)
  • Attack Vector: Network
  • Authentication Required: None
  • Affected Component: aiosend/webhook/base.py
  • Exploit Status: PoC Available

Affected Systems

  • aiosend Python package
  • Applications utilizing aiosend for webhook processing
  • aiosend: < 3.0.6 (Fixed in: 3.0.6)

Mitigation Strategies

  • Upgrade the aiosend library to version 3.0.6 or later.
  • Implement WAF rules to drop POST requests to webhook endpoints lacking proper authentication headers.
  • Configure reverse proxies (e.g., Nginx) to enforce strict maximum request body sizes for incoming webhooks.
  • Utilize application framework middleware to reject requests exceeding expected Content-Length bounds.

Remediation Steps:

  1. Audit project dependencies to identify the installed version of aiosend.
  2. Update the aiosend dependency to version 3.0.6 in requirements.txt, Pipfile, or pyproject.toml.
  3. Rebuild and deploy the application environment with the updated dependencies.
  4. Configure web servers or reverse proxies to enforce a strict body size limit (e.g., 50KB) on the exposed webhook URL paths.

References

Read the full report for GHSA-7M8F-HGJQ-8GC9 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)