Fluid Attacks Database

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	python-aiohttp	=3.7.4-1 \|\| >=0 <3.7.4-1+deb11u1	3.7.4-1+deb11u1
debian 13	python-aiohttp	>=0 <3.10.11-1	3.10.11-1
pypi	aiohttp	>=0 <3.10.11	3.10.11
debian 12	python-aiohttp	=3.8.4-1 \|\| >=0 <3.8.4-1+deb12u1	3.8.4-1+deb12u1
debian 14	python-aiohttp	>=0 <3.10.11-1	3.10.11-1

Aliases

1. CVE-2024-523042. NVD-2024-523043. OSV-DEBIAN-2024-523044. OSV-2024-523045. GHSA-8495-4g3g-x7pr6. GCVE-2024-523047. SECURITY-TRACKER-CVE-2024-523048. lists.debian.org

References

1. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr2. https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.