CVE-2024-23829

Name of the Vulnerable Software and Affected Versions aiohttp versions prior to 3.9.2

Description The issue is related to the Python HTTP parser in aiohttp, which has minor differences in allowable character sets. This could trigger error handling and assist in request smuggling, depending on the deployment environment. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. The vulnerability exists due to an incomplete fix for a previous issue.

API Endpoints: No specific API endpoints are mentioned, but the issue is related to HTTP requests, such as GET / HTTP/1.1. Vulnerable Parameters or Variables: No specific parameters or variables are mentioned, but the issue is related to HTTP version and method validation. Function Names: No specific function names are mentioned.

Recommendations For versions prior to 3.9.2, update to version 3.9.2 to fix the vulnerability. As a temporary workaround, consider restricting access to the aiohttp server to minimize the risk of exploitation. Avoid using malformed HTTP requests until the issue is resolved.