CVE-2023-37276 — HTTP Request Smuggling in Aiohttp

CWE-444 — HTTP Request Smuggling7 documents6 sources

Severity

7.5HIGHNVD

CNA5.3

EPSS

5.8%

top 9.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Aio-libs Aiohttp Aiohttp

Timeline

PublishedJul 19

Latest updateJul 20

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶PyPIaiohttp/aiohttp< 3.8.5

▶CVEListV5aio-libs/aiohttp< 3.8.5

▶NVDaiohttp/aiohttp3.8.4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser↗2023-07-20

▶

OSV

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser↗2023-07-20

▶

OSV

CVE-2023-37276: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python↗2023-07-19

▶

CVEList

aiohttp vulnerable to HTTP request smuggling↗2023-07-19

▶

📋Vendor Advisories

Red Hat

python-aiohttp: HTTP request smuggling via llhttp HTTP request parser↗2023-07-19

▶

Debian

CVE-2023-37276: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ...↗2023

▶