CVE-2024-23829 — HTTP Request Smuggling in Aiohttp

CWE-444 — HTTP Request Smuggling10 documents8 sources

Severity

6.5MEDIUMNVD

CNA5.3OSV7.5

EPSS

0.5%

top 33.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Aio-libs Aiohttp Aiohttp Fedoraproject Fedora

Timeline

PublishedJan 29

Latest updateJul 17

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards re…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

▶NVDaiohttp/aiohttp< 3.9.2

▶PyPIaiohttp/aiohttp< 3.9.2

▶CVEListV5aio-libs/aiohttp< 3.9.2

Also affects: Fedora 39

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

python-aiohttp vulnerabilities↗2025-07-17

▶

GHSA

aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators↗2024-01-29

▶

CVEList

aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators↗2024-01-29

▶

OSV

CVE-2024-23829: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python↗2024-01-29

▶

OSV

aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators↗2024-01-29

▶

📋Vendor Advisories

Ubuntu

AIOHTTP vulnerabilities↗2025-07-17

▶

Red Hat

python-aiohttp: http request smuggling↗2024-01-30

▶

Microsoft

aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators↗2024-01-09

▶

Debian

CVE-2024-23829: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ...↗2024

▶