GHSA-8495-4g3g-x7pr: aiohttp allows request smuggling due to incorrect parsing of chunk extensions

Skip to content

Navigation Menu

• • GitHub Copilot

    Write better code with AI

  • Security

    Find and fix vulnerabilities

  • Actions

    Automate any workflow

  • Codespaces

    Instant dev environments

  • Issues

    Plan and track work

  • Code Review

    Manage code changes

  • Discussions

    Collaborate outside of code

  • Code Search

    Find more, search less

• Explore

  • Learning Pathways
  • White papers, Ebooks, Webinars
  • Customer Stories
  • Partners

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• • Enterprise platform

    AI-powered developer platform

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2024-52304

aiohttp allows request smuggling due to incorrect parsing of chunk extensions

Low severity GitHub Reviewed Published Nov 18, 2024 in aio-libs/aiohttp • Updated Nov 18, 2024

Package

pip aiohttp (pip)

Affected versions

<= 3.10.10

Description

Summary

The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: aio-libs/aiohttp@259edc3

References

• GHSA-8495-4g3g-x7pr
• aio-libs/aiohttp@259edc3

Published to the GitHub Advisory Database

Nov 18, 2024

Last updated

Nov 18, 2024