VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 19, 2023· Updated Oct 18, 2024

aiohttp vulnerable to HTTP request smuggling

CVE-2023-37276

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie aiohttp.ClientSession). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using AIOHTTP_NO_EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aiohttpPyPI
< 3.8.53.8.5

Affected products

1

Patches

2
9337fb3f2ab2

Fix bump llhttp to v8.1.1 (#7367) (#7377)

https://github.com/aio-libs/aiohttpSam BullJul 18, 2023via ghsa
commit
5 files changed · +28 2
  • docs/contributing.rst+2 0 modified
    @@ -110,6 +110,8 @@ Install pre-commit hooks:
 
 Congratulations, you are ready to run the test suite!
 
+.. include:: ../vendor/README.rst
+
 
 Run autoformatter
 -----------------
  • .gitmodules+1 1 modified
    @@ -1,4 +1,4 @@
 [submodule "vendor/llhttp"]
     path = vendor/llhttp
     url = https://github.com/nodejs/llhttp.git
-    branch = v8.1.1
+    branch = v8.x
  • tests/test_http_parser.py+1 0 modified
    @@ -685,6 +685,7 @@ def test_http_response_parser_bad(response) -> None:
         response.feed_data(b"HTT/1\r\n\r\n")
 
 
+@pytest.mark.skipif(not NO_EXTENSIONS, reason="Behaviour has changed in C parser")
 def test_http_response_parser_code_under_100(response) -> None:
     msg = response.feed_data(b"HTTP/1.1 99 test\r\n\r\n")[0][0][0]
     assert msg.code == 99
  • vendor/llhttp+1 1 modified
    @@ -1 +1 @@
-Subproject commit 69d6db2008508489d19267a0dcab30602b16fc5b
+Subproject commit 7e18596bae8f63692ded9d3250d5d984fe90dcfb
  • vendor/README.rst+23 0 added
    @@ -0,0 +1,23 @@
+LLHTTP
+------
+
+When building aiohttp from source, there is a pure Python parser used by default.
+For better performance, you may want to build the higher performance C parser.
+
+To build this ``llhttp`` parser, first get/update the submodules (to update to a
+newer release, add ``--remote`` and check the branch in ``.gitmodules``)::
+
+    git submodule update --init --recursive
+
+Then build ``llhttp``::
+
+    cd vendor/llhttp/
+    npm install
+    make
+
+Then build our parser::
+
+    cd -
+    make cythonize
+
+Then you can build or install it with ``python -m build`` or ``pip install -e .``
9c13a52c21c2

Bump aiohttp to v3.8.5 a security release

https://github.com/aio-libs/aiohttpSviatoslav SydorenkoJul 9, 2023via ghsa
commit
6 files changed · +41 8
  • aiohttp/__init__.py+1 1 modified
    @@ -1,4 +1,4 @@
-__version__ = "3.8.4.post0.dev0"
+__version__ = "3.8.5"
 
 from typing import Tuple
  • CHANGES/3355.bugfix+0 1 removed
    @@ -1 +0,0 @@
-Fixed a transport is :data:`None` error -- by :user:`Dreamsorcerer`.
  • CHANGES/7346.feature+0 5 removed
    @@ -1,5 +0,0 @@
-Upgrade the vendored copy of llhttp_ to v8.1.1 -- by :user:`webknjaz`.
-
-Thanks to :user:`sethmlarson` for pointing this out!
-
-.. _llhttp: https://llhttp.org
  • CHANGES/7366.feature+0 1 removed
    @@ -1 +0,0 @@
-Added information to C parser exceptions to show which character caused the error. -- by :user:`Dreamsorcerer`
  • CHANGES.rst+39 0 modified
    @@ -10,6 +10,45 @@
 
 .. towncrier release notes start
 
+3.8.5 (2023-07-19)
+==================
+
+Security bugfixes
+-----------------
+
+- Upgraded the vendored copy of llhttp_ to v8.1.1 -- by :user:`webknjaz`
+  and :user:`Dreamsorcerer`.
+
+  Thanks to :user:`sethmlarson` for reporting this and providing us with
+  comprehensive reproducer, workarounds and fixing details! For more
+  information, see
+  https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w.
+
+  .. _llhttp: https://llhttp.org
+
+  `#7346 <https://github.com/aio-libs/aiohttp/issues/7346>`_
+
+
+Features
+--------
+
+- Added information to C parser exceptions to show which character caused the error. -- by :user:`Dreamsorcerer`
+
+  `#7366 <https://github.com/aio-libs/aiohttp/issues/7366>`_
+
+
+Bugfixes
+--------
+
+- Fixed a transport is :data:`None` error -- by :user:`Dreamsorcerer`.
+
+  `#3355 <https://github.com/aio-libs/aiohttp/issues/3355>`_
+
+
+
+----
+
+
 3.8.4 (2023-02-12)
 ==================
  • docs/spelling_wordlist.txt+1 0 modified
    @@ -39,6 +39,7 @@ botocore
 brotli
 brotlipy
 bugfix
+bugfixes
 Bugfixes
 builtin
 BytesIO

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.