GHSA-5qpg-rh4j-qp35: pycares has a Use-After-Free Vulnerability

June 16, 2025

pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash.

References

github.com/advisories/GHSA-5qpg-rh4j-qp35
github.com/saghul/pycares
github.com/saghul/pycares/commit/ebfd7d71eb8e74bc1057a361ea79a5906db510d4
github.com/saghul/pycares/security/advisories/GHSA-5qpg-rh4j-qp35

Code Behaviors & Features

Detect and mitigate GHSA-5qpg-rh4j-qp35 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →