PT-2023-8839 · Aiohttp+5 · Aiohttp+5

Kenballus

Published

2023-10-06

Updated

2025-07-17

CVE-2023-47627

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions aiohttp versions prior to 3.8.6

Description The HTTP parser in aiohttp has numerous problems with header parsing, which could lead to request smuggling. This issue is related to the handling of Content-Length values, improper handling of NUL, CR, and LF in header values, and improper stripping of whitespace before colon in HTTP headers. The parser is only used when AIOHTTP NO EXTENSIONS is enabled.

Recommendations For versions prior to 3.8.6, upgrade to version 3.8.6 or later to address the issue. As a temporary workaround, consider disabling the use of AIOHTTP NO EXTENSIONS to prevent the vulnerable parser from being used. Reject all messages with NUL, CR, or LF in a header value and reject all messages with whitespace before a colon in a header field. Verify that a Content-Length value consists only of ASCII digits before parsing.

Exploit

Fix

DoS

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

ALT-PU-2024-16702

ALT-PU-2024-6120

AZL-43882

AZL-44370

BDU:2024-02173

CVE-2023-47627

DLA-4041-1

DSA-5828-1

GHSA-GFW2-4JVH-WGFG

OESA-2025-1250

OESA-2025-1346

OESA-2025-1347

OPENSUSE-SU-2024:13465-1

PYSEC-2023-246

RHSA-2024:1057

RHSA-2024:1536

RHSA-2024:1640

RHSA-2024:1878

RHSA-2024:2010

SUSE-SU-2024:0577-1

USN-7642-1

Affected Products

Alt Linux

Linuxmint

Red Os

Suse

Ubuntu

Aiohttp

PT-2023-8839 · Aiohttp+5 · Aiohttp+5

CVE-2023-47627

Weakness Enumeration

Related Identifiers

Affected Products

References · 64