CVE-2024-52304HTTP Request Smuggling in Aiohttp

CWE-444HTTP Request Smuggling9 documents7 sources
Severity
6.3MEDIUMNVD
OSV7.5
EPSS
0.5%
top 36.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Aio-libs AiohttpAiohttp
Timeline
PublishedNov 18
Latest updateJul 17

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDaiohttp/aiohttp< 3.10.11
PyPIaiohttp/aiohttp< 3.10.11
CVEListV5aio-libs/aiohttp< 3.10.11

Patches

Patch: github.com

🔴Vulnerability Details

5
OSV
python-aiohttp vulnerabilities2025-07-17
GHSA
aiohttp allows request smuggling due to incorrect parsing of chunk extensions2024-11-18
OSV
CVE-2024-52304: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python2024-11-18
OSV
aiohttp allows request smuggling due to incorrect parsing of chunk extensions2024-11-18
CVEList
aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions2024-11-18

📋Vendor Advisories

3
Ubuntu
AIOHTTP vulnerabilities2025-07-17
Red Hat
aiohttp: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions2024-11-18
Debian
CVE-2024-52304: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ...2024
CVE-2024-52304 — HTTP Request Smuggling in Aiohttp | cvebase