GHSA-5QPG-RH4J-QP35

Vulnerability from github – Published: 2025-06-16 16:09 – Updated: 2025-06-16 16:09
VLAI?
Summary
pycares has a Use-After-Free Vulnerability
Details

Summary

pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash.

Details

Root Cause

The vulnerability stems from improper handling of callback references when the Channel object is destroyed:

  1. When a DNS query is initiated, pycares stores a callback reference using ffi.new_handle()
  2. If the Channel object is garbage collected while queries are pending, the callback references become invalid
  3. When c-ares attempts to invoke the callback, it accesses freed memory, causing a fatal error

This issue was much more likely to occur when using event_thread=True but could happen without it under the right circumstances.

Technical Details

The core issue is a race condition between Python's garbage collector and c-ares's callback execution:

  1. When __del__ is called from within a c-ares callback context, we cannot immediately call ares_destroy() because c-ares is still executing code after the callback returns
  2. c-ares needs to execute cleanup code after our Python callback returns (specifically at lines 1422-1429 in ares_process.c)
  3. If we destroy the channel too quickly, c-ares accesses freed memory

Impact

Applications using pycares can be crashed remotely by triggering DNS queries that result in Channel objects being garbage collected before query completion. This is particularly problematic in scenarios where:

  • Channel objects are created per-request
  • Multiple failed DNS queries are processed rapidly
  • The application doesn't properly manage Channel lifecycle

The error manifests as:

Fatal Python error: b_from_handle: ffi.from_handle() detected that the address passed points to garbage

Fix

The vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism

Mitigation

For Application Developers

  1. Upgrade to pycares >= 4.9.0 - This version includes the fix and requires no code changes
  2. Best practices (optional but recommended): ```python # Explicit cleanup channel.close()

# Or use context manager with pycares.Channel() as channel: # ... use channel ... # Automatically closed ``` 3. Avoid creating Channel objects per-request - Prefer long-lived instances for better performance and safety

The fix is completely transparent - no API changes or code modifications are required.

Credit

This vulnerability was reported by @vEpiphyte through the aio-libs security program.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.8.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pycares"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-16T16:09:47Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\npycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash.\n\n## Details\n\n### Root Cause\n\nThe vulnerability stems from improper handling of callback references when the Channel object is destroyed:\n\n1. When a DNS query is initiated, pycares stores a callback reference using `ffi.new_handle()`\n2. If the Channel object is garbage collected while queries are pending, the callback references become invalid\n3. When c-ares attempts to invoke the callback, it accesses freed memory, causing a fatal error\n\nThis issue was much more likely to occur when using `event_thread=True` but could happen without it under the right circumstances.\n\n### Technical Details\n\nThe core issue is a race condition between Python\u0027s garbage collector and c-ares\u0027s callback execution:\n\n1. When `__del__` is called from within a c-ares callback context, we cannot immediately call `ares_destroy()` because c-ares is still executing code after the callback returns\n2. c-ares needs to execute cleanup code after our Python callback returns (specifically at lines 1422-1429 in ares_process.c)\n3. If we destroy the channel too quickly, c-ares accesses freed memory\n\n### Impact\n\nApplications using `pycares` can be crashed remotely by triggering DNS queries that result in `Channel` objects being garbage collected before query completion. This is particularly problematic in scenarios where:\n\n- Channel objects are created per-request\n- Multiple failed DNS queries are processed rapidly\n- The application doesn\u0027t properly manage Channel lifecycle\n\nThe error manifests as:\n```\nFatal Python error: b_from_handle: ffi.from_handle() detected that the address passed points to garbage\n```\n\n## Fix\n\nThe vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism\n\n## Mitigation\n\n### For Application Developers\n\n1. **Upgrade to pycares \u003e= 4.9.0** - This version includes the fix and requires no code changes\n2. **Best practices** (optional but recommended):\n   ```python\n   # Explicit cleanup\n   channel.close()\n   \n   # Or use context manager\n   with pycares.Channel() as channel:\n       # ... use channel ...\n   # Automatically closed\n   ```\n3. **Avoid creating Channel objects per-request** - Prefer long-lived instances for better performance and safety\n\nThe fix is completely transparent - no API changes or code modifications are required.\n\n## Credit\n\nThis vulnerability was reported by @vEpiphyte through the aio-libs security program.",
  "id": "GHSA-5qpg-rh4j-qp35",
  "modified": "2025-06-16T16:09:47Z",
  "published": "2025-06-16T16:09:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/saghul/pycares/security/advisories/GHSA-5qpg-rh4j-qp35"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saghul/pycares/commit/ebfd7d71eb8e74bc1057a361ea79a5906db510d4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/saghul/pycares"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "pycares has a Use-After-Free Vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.