HTTP Request Smuggling Affecting aiohttp package, versions [,3.9.2)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.07% (34th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-AIOHTTP-6209407
  • published30 Jan 2024
  • disclosed29 Jan 2024
  • creditPaul J. Dorn

Introduced: 29 Jan 2024

CVE-2024-23829  (opens in a new tab)
CWE-444  (opens in a new tab)

How to fix?

Upgrade aiohttp to version 3.9.2 or higher.

Overview

Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper validation of HTTP request elements. An attacker can potentially inject additional requests or cause unhandled exceptions leading to excessive resource consumption by exploiting leniencies in the HTTP parser and inconsistencies in error handling.

PoC

GET / HTTP/1ö1
GET / HTTP/1.𝟙
GET/: HTTP/1.1
Content-Encoding?: chunked

CVSS Scores

version 3.1