Fluid Attacks Database

Description

aiohttp has vulnerable dependency that is vulnerable to request smuggling

Summary

llhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities. Details have not been disclosed yet, so refer to llhttp for future information. The issue is resolved by using llhttp 9+ (which is included in aiohttp 3.8.6+).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	aiohttp	>=0 <3.8.6	3.8.6

Aliases

1. GHSA-pjjw-qhg8-p2p92. GCVE-GHSA-pjjw-qhg8-p2p9

References

1. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p92. https://github.com/aio-libs/aiohttp/commit/996de2629ef6b4c2934a7c04dfd49d0950d4c43b3. https://github.com/aio-libs/aiohttp/commit/bcc416e533796d04fb8124ef1e7686b1f338767a

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.