Preface: OpenStack Neutron is an SDN networking project focused on delivering networking-as-a-service (NaaS) in virtual compute environments. Neutron has replaced the original networking application program interface (API), called Quantum, in OpenStack.

Background: The Web Server Gateway Interface (WSGI) is a simple calling convention for web servers to forward requests to web applications or frameworks written in the Python programming language. The current version of WSGI, version 1.0. Router uses routes.middleware.RoutesMiddleware to map requests to WSGI applications.
In object-oriented programming, a singleton class is a class that can have only one object (an instance of the class) at a time. The Singleton is a useful Design Pattern for allowing only one instance of your class, but common mistakes can inadvertently allow more than one instance to be created.

Ref: When using “singleton=True” (default value), a routes._RequestConfig() is always created [1]. This object has a thread safe variable to store the context information for each request.

Vulnerability details: an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.

Remedy: Don’t use singleton in routes.middleware.RoutesMiddleware – https://review.opendev.org/c/openstack/neutron/+/807638