Skip to content

Request smuggling due to incorrect parsing of chunk extensions

Low
Dreamsorcerer published GHSA-8495-4g3g-x7pr Nov 18, 2024

Package

pip aiohttp (pip)

Affected versions

<= 3.10.10

Patched versions

3.10.11

Description

Summary

The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: 259edc3

Severity

Low

CVE ID

CVE-2024-52304

Weaknesses

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. Learn more on MITRE.

Credits