aiohttp@3.9.1 vulnerabilities

Affected versions of this package are vulnerable to HTTP Request Smuggling due to incorrect parsing of newlines in chunk extensions via the feed_data function. An attacker can bypass firewall or proxy protections by sending specially crafted requests.

Note:

Exploiting this vulnerability is possible when a pure Python version of aiohttp is installed (Without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled.

Upgrade aiohttp to version 3.10.11 or higher.

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following through the FileResponse class due to improper validation for compressed variants. An attacker can access files outside the intended directory by manipulating symbolic links to point to restricted areas by performing Path.stat() and Path.open() to send the file.

Note

This vulnerability impacts servers with static routes that contain compressed variants as symbolic links pointing outside the root directory or that permit users to upload or create such links.

Upgrade aiohttp to version 3.10.2 or higher.

Affected versions of this package are vulnerable to Infinite loop when processing a multipart/form-data POST request with malicious CONTENT_DISPOSITION values. An attacker can cause the server to deny all other requests while stuck in the loop.

Upgrade aiohttp to version 3.9.4 or higher.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper handling of index pages for static file serving when show_index is set to True. If users have the ability to upload files with arbitrary filenames to the static directory, an attacker can inject malicious scripts that will be executed in the context of the victim's browser session by crafting a file name that includes executable script content.

Note:

This is only exploitable if the server is configured to allow users to upload files to the static directory and show_index is enabled.

Upgrade aiohttp to version 3.9.4 or higher.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper validation of HTTP request elements. An attacker can potentially inject additional requests or cause unhandled exceptions leading to excessive resource consumption by exploiting leniencies in the HTTP parser and inconsistencies in error handling.

Upgrade aiohttp to version 3.9.2 or higher.

Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') via the configuration of static routes when the follow_symlinks option is set to True. An attacker can read arbitrary files on the system by exploiting the lack of validation for file paths to ensure they are within the specified root directory for static files.

Notes:

This vulnerability has been present since the introduction of the follow_symlinks parameter.

An application is only vulnerable with setup code like:

app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to avoid the vulnerability
])

Upgrade aiohttp to version 3.9.2 or higher.