Jeppw

**Name of the Vulnerable Software and Affected Versions** Netty versions 4.1.124.Final Netty versions 4.2.0.Alpha3 through 4.2.4.Final **Description** Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently, attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. **Recommendations** Netty version 4.1.125.Final Netty version 4.2.5.Final

Name of the Vulnerable Software and Affected Versions: AIOHTTP versions prior to 3.12.14 Description: AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, contains an issue where the Python parser does not correctly parse trailer sections of an HTTP request. This can allow an attacker to execute a request smuggling attack, potentially bypassing firewalls or proxy protections, when a pure Python version of AIOHTTP is installed or `AIOHTTP NO EXTENSIONS` is enabled. Recommendations: Upgrade to AIOHTTP version 3.12.14 or later.

**Name of the Vulnerable Software and Affected Versions** h11 versions prior to 0.16.0 **Description** h11 is a Python implementation of HTTP/1.1. A leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue. **Recommendations** Update to h11 version 0.16.0 to fix the parsing vulnerability. As a temporary workaround, consider disabling the vulnerable component until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the vulnerable function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** aiohttp versions prior to 3.10.11 **Description** aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A flaw exists in the Python parser's handling of newlines within chunk extensions, potentially leading to request smuggling vulnerabilities. If a pure Python version of aiohttp is installed (without the usual C extensions) or `AIOHTTP NO EXTENSIONS` is enabled, an attacker may be able to exploit this issue to bypass certain firewalls or proxy protections. Request smuggling occurs when an attacker manipulates HTTP requests to trick the server into processing them in an unintended way. This can lead to various security consequences, including unauthorized access and data breaches. **Recommendations** Upgrade aiohttp to version 3.10.11 or later.