aiohttp@3.9.2 vulnerabilities

Affected versions of this package are vulnerable to HTTP Request Smuggling due to incorrect parsing of newlines in chunk extensions via the feed_data function. An attacker can bypass firewall or proxy protections by sending specially crafted requests.

Note:

Exploiting this vulnerability is possible when a pure Python version of aiohttp is installed (Without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled.

Upgrade aiohttp to version 3.10.11 or higher.

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following through the FileResponse class due to improper validation for compressed variants. An attacker can access files outside the intended directory by manipulating symbolic links to point to restricted areas by performing Path.stat() and Path.open() to send the file.

Note

This vulnerability impacts servers with static routes that contain compressed variants as symbolic links pointing outside the root directory or that permit users to upload or create such links.

Upgrade aiohttp to version 3.10.2 or higher.

Affected versions of this package are vulnerable to Infinite loop when processing a multipart/form-data POST request with malicious CONTENT_DISPOSITION values. An attacker can cause the server to deny all other requests while stuck in the loop.

Upgrade aiohttp to version 3.9.4 or higher.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper handling of index pages for static file serving when show_index is set to True. If users have the ability to upload files with arbitrary filenames to the static directory, an attacker can inject malicious scripts that will be executed in the context of the victim's browser session by crafting a file name that includes executable script content.

Note:

This is only exploitable if the server is configured to allow users to upload files to the static directory and show_index is enabled.

Upgrade aiohttp to version 3.9.4 or higher.