aiosend: Deserialization of request body before signature verification (Pre-auth DoS) in webhook handler
Vulnerability Description In aiosend/webhook/base.py, the WebhookHandler.feed_update() method performs full deserialization of the incoming JSON via Pydantic before verifying the HMAC signature. Anyone can send a request with an arbitrary body — the server will parse it, spend CPU and memory, and only then reject it. Vulnerable Code # aiosend/webhook/base.py — feed_update() update = Update.model_validate(body, context={"client": self}) # parsing — always if not self._check_signature(body, headers): # auth — too late return …