CVE-2024-52304: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions
First published: Mon Nov 18 2024(Updated: )
### Summary The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ----- Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/aiohttp | <=3.10.10 | 3.10.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/description
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8495-4g3g-x7pr
- alias/CVE-2024-52304
- agent/software-canonical-lookup
- collector/nvd-cve
- agent/last-modified-date
- agent/references
- agent/tags
- package-manager/pip