Advisory Published
Advisory Published

CVE-2023-47627: Request smuggling in aiohttp

First published: Tue Nov 14 2023(Updated: )

# Summary The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when `AIOHTTP_NO_EXTENSIONS` is enabled (or not using a prebuilt wheel). # Details ## Bug 1: Bad parsing of `Content-Length` values ### Description RFC 9110 says this: > `Content-Length = 1*DIGIT` AIOHTTP does not enforce this rule, presumably because of an incorrect usage of the builtin `int` constructor. Because the `int` constructor accepts `+` and `-` prefixes, and digit-separating underscores, using `int` to parse CL values leads AIOHTTP to significant misinterpretation. ### Examples ``` GET / HTTP/1.1\r\n Content-Length: -0\r\n \r\n X ``` ``` GET / HTTP/1.1\r\n Content-Length: +0_1\r\n \r\n X ``` ### Suggested action Verify that a `Content-Length` value consists only of ASCII digits before parsing, as the standard requires. ## Bug 2: Improper handling of NUL, CR, and LF in header values ### Description RFC 9110 says this: > Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters; a recipient of CR, LF, or NUL within a field value MUST either reject the message or replace each of those characters with SP before further processing or forwarding of that message. AIOHTTP's HTTP parser does not enforce this rule, and will happily process header values containing these three forbidden characters without replacing them with SP. ### Examples ``` GET / HTTP/1.1\r\n Header: v\x00alue\r\n \r\n ``` ``` GET / HTTP/1.1\r\n Header: v\ralue\r\n \r\n ``` ``` GET / HTTP/1.1\r\n Header: v\nalue\r\n \r\n ``` ### Suggested action Reject all messages with NUL, CR, or LF in a header value. The translation to space thing, while technically allowed, does not seem like a good idea to me. ## Bug 3: Improper stripping of whitespace before colon in HTTP headers ### Description RFC 9112 says this: > No whitespace is allowed between the field name and colon. In the past, differences in the handling of such whitespace have led to security vulnerabilities in request routing and response handling. A server MUST reject, with a response status code of 400 (Bad Request), any received request message that contains whitespace between a header field name and colon. AIOHTTP does not enforce this rule, and will simply strip any whitespace before the colon in an HTTP header. ### Example ``` GET / HTTP/1.1\r\n Content-Length : 1\r\n \r\n X ``` ### Suggested action Reject all messages with whitespace before a colon in a header field, as the standard requires. # PoC Example requests are embedded in the previous section. To reproduce these bugs, start an AIOHTTP server without llhttp (i.e. `AIOHTTP_NO_EXTENSIONS=1`) and send the requests given in the previous section. (e.g. by `printf`ing into `nc`) # Impact Each of these bugs can be used for request smuggling.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Aiohttp Aiohttp<3.8.6

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Reference Links

Frequently Asked Questions

  • What is CVE-2023-47627?

    CVE-2023-47627 is a vulnerability in aiohttp, an HTTP client/server for Python.

  • What is the severity of CVE-2023-47627?

    The severity of CVE-2023-47627 is medium, with a CVSS score of 5.3.

  • How does CVE-2023-47627 affect aiohttp?

    CVE-2023-47627 affects aiohttp version 3.8.6.

  • What is the CWE classification for CVE-2023-47627?

    CVE-2023-47627 is classified under CWE-444, which is for 'Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling').'

  • How can CVE-2023-47627 be fixed?

    To fix CVE-2023-47627, it is recommended to update aiohttp to version 3.8.7 or later.


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203