CVE-2024-52304

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.
HTTP Request/Response Smuggling
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
GitHub_MCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
VendorProductVersion
aiohttpaiohttp
𝑥
< 3.10.11
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-aiohttp
bullseye
vulnerable
bullseye (security)
3.7.4-1+deb11u1
fixed
bookworm
3.8.4-1+deb12u1
fixed
bookworm (security)
3.8.4-1+deb12u1
fixed
forky
3.11.16-1
fixed
sid
3.11.16-1
fixed
trixie
3.11.16-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-aiohttp
plucky
not-affected
oracular
ignored
noble
Fixed 3.9.1-1ubuntu0.1+esm1
released
jammy
Fixed 3.8.1-4ubuntu0.2+esm1
released
focal
Fixed 3.6.2-1ubuntu1+esm4
released
bionic
Fixed 3.0.1-1ubuntu0.1~esm5
released
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr