aiohttp@3.9.4rc0 vulnerabilities

Async http client/server framework (asyncio)

Direct Vulnerabilities

Known vulnerabilities in the aiohttp package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
HTTP Request Smuggling

Affected versions of this package are vulnerable to HTTP Request Smuggling due to incorrect parsing of newlines in chunk extensions via the feed_data function. An attacker can bypass firewall or proxy protections by sending specially crafted requests.

Note:

Exploiting this vulnerability is possible when a pure Python version of aiohttp is installed (Without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled.

How to fix HTTP Request Smuggling?

Upgrade aiohttp to version 3.10.11 or higher.

[,3.10.11)
  • M
UNIX Symbolic Link (Symlink) Following

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following through the FileResponse class due to improper validation for compressed variants. An attacker can access files outside the intended directory by manipulating symbolic links to point to restricted areas by performing Path.stat() and Path.open() to send the file.

Note

This vulnerability impacts servers with static routes that contain compressed variants as symbolic links pointing outside the root directory or that permit users to upload or create such links.

How to fix UNIX Symbolic Link (Symlink) Following?

Upgrade aiohttp to version 3.10.2 or higher.

[,3.10.2)
  • H
Infinite loop

Affected versions of this package are vulnerable to Infinite loop when processing a multipart/form-data POST request with malicious CONTENT_DISPOSITION values. An attacker can cause the server to deny all other requests while stuck in the loop.

How to fix Infinite loop?

Upgrade aiohttp to version 3.9.4 or higher.

[,3.9.4)
  • M
Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper handling of index pages for static file serving when show_index is set to True. If users have the ability to upload files with arbitrary filenames to the static directory, an attacker can inject malicious scripts that will be executed in the context of the victim's browser session by crafting a file name that includes executable script content.

Note:

This is only exploitable if the server is configured to allow users to upload files to the static directory and show_index is enabled.

How to fix Cross-site Scripting (XSS)?

Upgrade aiohttp to version 3.9.4 or higher.

[,3.9.4)