statsig-python-core is vulnerable to Denial of Service (DoS)
45
Medium Risk
The ExposureSampling component in the shared Rust core deduplicates exposure events using an in-memory set keyed by an exposure sampling key. Entries are added for every unique key and the set is only emptied on a periodic reset or after it grows past a fixed size, so memory accumulates with the number of distinct keys seen between resets. Applications that produce many unique exposure keys, such as evaluating gates or experiments for high-cardinality per-request users, can drive unbounded memory growth and exhaust process memory. The fix replaces the unbounded set with a bounded LruCache and adds a configurable exposure_dedupe_max_keys cap that evicts least-recently-used entries once the limit is reached.
You are affected if you are using a version that falls within the vulnerable range.
statsig-python-core is vulnerable to Denial of Service (DoS) in versions 0.4.0 - 0.19.4.
Upgrade the statsig-python-core library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant