CVE-2023-37276

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions aiohttp versions 3.8.4 and earlier

Description The issue is related to the handling of HTTP requests in aiohttp, which can lead to HTTP request smuggling when a crafted HTTP request is sent. This affects users of aiohttp as an HTTP server, but not those using it as an HTTP client library. The vulnerability is addressed in version 3.8.5.

Recommendations For aiohttp versions 3.8.4 and earlier, upgrade to version 3.8.5 to resolve the issue. As a temporary workaround for users unable to upgrade, reinstall aiohttp using AIOHTTP NO EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation.

Exploit

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

ALT-PU-2023-5594

ALT-PU-2024-16702

BDU:2023-05462

CVE-2023-37276

GHSA-45C4-8WX5-QW6W

PYSEC-2023-120

RHSA-2024:1878

RHSA-2024:2010

Affected Products

Alt Linux

Debian

Red Os

Aiohttp

CVE-2023-37276

Weakness Enumeration

Related Identifiers

Affected Products

References · 24