oschwald
commented
1 year ago Based on the discussion on https://github.com/aio-libs/aiohttp/issues/6772 and https://github.com/aio-libs/aiohttp/issues/6801#issuecomment-1167371253, it isn't clear to me that this is a valid report.
Even if it is a valid report, it is unlikely that the use by geoip2 would trigger it as the host is geoip.maxmind.com unless you specifically override it with the host param to the web service client. It sounds like the possible issue is only when a URL with an invalid IPv6 address has been provided as the host in the URL.
shtalinberg
Dependency-Check Results in of our projects where used geoip2
AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). more details here https://nvd.nist.gov/vuln/detail/CVE-2022-33124