aiohttp@3.6.0a9 vulnerabilities

Affected versions of this package are vulnerable to HTTP Request Smuggling due to incorrect parsing of newlines in chunk extensions via the feed_data function. An attacker can bypass firewall or proxy protections by sending specially crafted requests.

Note:

Exploiting this vulnerability is possible when a pure Python version of aiohttp is installed (Without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled.

Upgrade aiohttp to version 3.10.11 or higher.

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following through the FileResponse class due to improper validation for compressed variants. An attacker can access files outside the intended directory by manipulating symbolic links to point to restricted areas by performing Path.stat() and Path.open() to send the file.

Note

This vulnerability impacts servers with static routes that contain compressed variants as symbolic links pointing outside the root directory or that permit users to upload or create such links.

Upgrade aiohttp to version 3.10.2 or higher.

Affected versions of this package are vulnerable to Infinite loop when processing a multipart/form-data POST request with malicious CONTENT_DISPOSITION values. An attacker can cause the server to deny all other requests while stuck in the loop.

Upgrade aiohttp to version 3.9.4 or higher.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper handling of index pages for static file serving when show_index is set to True. If users have the ability to upload files with arbitrary filenames to the static directory, an attacker can inject malicious scripts that will be executed in the context of the victim's browser session by crafting a file name that includes executable script content.

Note:

This is only exploitable if the server is configured to allow users to upload files to the static directory and show_index is enabled.

Upgrade aiohttp to version 3.9.4 or higher.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper validation of HTTP request elements. An attacker can potentially inject additional requests or cause unhandled exceptions leading to excessive resource consumption by exploiting leniencies in the HTTP parser and inconsistencies in error handling.

Upgrade aiohttp to version 3.9.2 or higher.

Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') via the configuration of static routes when the follow_symlinks option is set to True. An attacker can read arbitrary files on the system by exploiting the lack of validation for file paths to ensure they are within the specified root directory for static files.

Notes:

This vulnerability has been present since the introduction of the follow_symlinks parameter.

An application is only vulnerable with setup code like:

app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to avoid the vulnerability
])

Upgrade aiohttp to version 3.9.2 or higher.

Affected versions of this package are vulnerable to Improper Input Validation via the ClientSession method. An attacker can modify the HTTP request or create a new HTTP request if they control the HTTP method.

Note: This is only exploitable if the attacker can control the HTTP method of the request.

Upgrade aiohttp to version 3.9.0 or higher.

Affected versions of this package are vulnerable to Improper Input Validation in the ClientSession. An attacker can modify the HTTP request or create a new HTTP request by controlling the HTTP version of the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection.

Note: The vulnerability only occurs if the attacker can control the HTTP version of the request (including its type).

Upgrade aiohttp to version 3.9.0 or higher.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to a vulnerable dependency. An attacker can exploit request smuggling vulnerabilities.

Upgrade aiohttp to version 3.8.6 or higher.

Affected versions of this package are vulnerable to Inconsistent Interpretation of HTTP Messages due to the inconsistent interpretation of Content-Length vs. Transfer-Encoding in both C and Python fallbacks. An attacker can bypass proxy rules and poison sockets to other users, potentially passing Authentication Headers.

Note:

This is only exploitable if a configuration with a reverse proxy that accepts both Content-Length and Transfer-Encoding headers and aiohttp as backend is present.

Additionally, if an Open Redirect is present, it can be combined to redirect random users to an attacker's website and log the request.

Upgrade aiohttp to version 3.8.0 or higher.

Affected versions of this package are vulnerable to HTTP Request Smuggling via the HTTP parser. An attacker can manipulate the header parsing, leading to potential request smuggling by exploiting the incorrect usage of the int constructor for Content-Length values, improper handling of NUL, CR, and LF in header values, and improper stripping of whitespace before colon in HTTP headers.

Note:

This is only exploitable if AIOHTTP_NO_EXTENSIONS is enabled or not using a prebuilt wheel.

Upgrade aiohttp to version 3.8.6 or higher.

Affected versions of this package are vulnerable to HTTP Request Smuggling in that aiohttp is bundled with llhttp v6.0.6, which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser, when available, which is the default case when installing from a wheel.

Note

This vulnerability only affects users of aiohttp as an HTTP server (i.e. aiohttp.Application). Users are not affected by this vulnerability if they use aiohttp as an HTTP client library (i.e. aiohttp.ClientSession).

Upgrade aiohttp to version 3.8.5 or higher.

Affected versions of this package are vulnerable to HTTP Header Injection since aiohttp simply concatenated headers without any validation. This allowed an attacker to inject arbitrary content into the headers, including CRLF characters.

PoC

// For this code
import aiohttp.web
async def handler(req: aiohttp.web.Request):
    return aiohttp.web.Response(headers={
        'X-Debug-Param': req.query.get('param', ''),
    })
app = aiohttp.web.Application()
app.add_get('/', handler)

// Send the following requests to the webapp
/?param=%0d%0aLocation:%20https://malware.host/  # open redirect
/?param=%0d%0aSet-Cookie:%20...                  # set some cookie
/?param=%0d%0aContent-Length:%2040%0d%0a         # skip next headers

Upgrade aiohttp to version 3.8.0 or higher.

Affected versions of this package are vulnerable to Open Redirect. Redirects are possible within the aiohttp.web.normalize_path_middleware.

Upgrade aiohttp to version 3.7.4 or higher.