CVE-2023-37276: aiohttp vulnerable to HTTP request smuggling

First published: Wed Jul 19 2023(Updated: )

### Impact aiohttp v3.8.4 and earlier are [bundled with llhttp v6.0.6](https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules) which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). ### Reproducer ```python from aiohttp import web async def example(request: web.Request): headers = dict(request.headers) body = await request.content.read() return web.Response(text=f"headers: {headers} body: {body}") app = web.Application() app.add_routes([web.post('/', example)]) web.run_app(app) ``` Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. ```console $ printf "POST / HTTP/1.1\r\nHost: localhost:8080\r\nX-Abc: \rxTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\n0\r\n\r\n" \ | nc localhost 8080 Expected output: headers: {'Host': 'localhost:8080', 'X-Abc': '\rxTransfer-Encoding: chunked'} body: b'' Actual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently) headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A' ``` ### Patches Upgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: [`pip install aiohttp >= 3.8.5`](https://pypi.org/project/aiohttp/3.8.5/) ### Workarounds If you aren't able to upgrade you can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling: ```console $ python -m pip uninstall --yes aiohttp $ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp ``` ### References * https://nvd.nist.gov/vuln/detail/CVE-2023-30589 * https://hackerone.com/reports/2001873

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-latest
• collector/nvd-index
• agent/type
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2023-37276
• agent/software-canonical-lookup
• agent/references
• agent/remedy
• agent/severity
• agent/weakness
• agent/softwarecombine
• agent/author
• agent/description
• collector/nvd-api
• agent/software-canonical-lookup-request
• agent/title
• agent/first-publish-date
• agent/event
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-45c4-8wx5-qw6w
• collector/nvd-cve
• source/NVD
• collector/github-advisory
• agent/tags
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• agent/trending
• vendor/aiohttp project
• canonical/aiohttp project aiohttp
• version/aiohttp project aiohttp/3.8.4
• package-manager/redhat
• vendor/aiohttp
• canonical/aiohttp aiohttp
• version/aiohttp aiohttp/3.8.4
• package-manager/pip