PT-2024-8690 · Pypi+5 · Aiohttp+5

Jeppw

Published

2024-11-18

Updated

2026-01-23

CVE-2024-52304

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions aiohttp versions prior to 3.10.11

Description aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A flaw exists in the Python parser's handling of newlines within chunk extensions, potentially leading to request smuggling vulnerabilities. If a pure Python version of aiohttp is installed (without the usual C extensions) or AIOHTTP NO EXTENSIONS is enabled, an attacker may be able to exploit this issue to bypass certain firewalls or proxy protections. Request smuggling occurs when an attacker manipulates HTTP requests to trick the server into processing them in an unintended way. This can lead to various security consequences, including unauthorized access and data breaches.

Recommendations Upgrade aiohttp to version 3.10.11 or later.

Exploit

Fix

DoS

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

AZL-53229

AZL-53232

BDU:2024-10292

CVE-2024-52304

DLA-4041-1

DSA-5828-1

GHSA-8495-4G3G-X7PR

MGASA-2024-0388

OESA-2025-1045

OESA-2025-1046

OESA-2025-1047

OESA-2025-1048

OPENSUSE-SU-2024_4077-1

OPENSUSE-SU-2024_4110-1

RHSA-2024:10766

RHSA-2024:11574

RHSA-2025:0340

SUSE-SU-2024:4077-1

SUSE-SU-2024:4110-1

SUSE-SU-2024_4077-1

SUSE-SU-2024_4110-1

USN-7642-1

Affected Products

Alt Linux

Linuxmint

Red Os

Suse

Ubuntu

Aiohttp

PT-2024-8690 · Pypi+5 · Aiohttp+5

CVE-2024-52304

Weakness Enumeration

Related Identifiers

Affected Products

References · 53