Moderate severityNVD Advisory· Published Nov 14, 2023· Updated Nov 3, 2025
Request smuggling in aiohttp
CVE-2023-47627
Description
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit d5c12ba89 which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aiohttpPyPI | < 3.8.6 | 3.8.6 |
Affected products
13- osv-coords12 versionspkg:apk/chainguard/py3-cassandra-medusapkg:apk/chainguard/py3-cassandra-medusa-compatpkg:apk/wolfi/py3-cassandra-medusapkg:apk/wolfi/py3-cassandra-medusa-compatpkg:pypi/aiohttppkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4
< 0.19.1-r1+ 11 more
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 3.8.6
- (no CPE)range: < 3.9.3-150400.10.14.1
- (no CPE)range: < 3.9.0-1.1
- (no CPE)range: < 3.9.3-150400.10.14.1
- (no CPE)range: < 3.9.3-150400.10.14.1
- (no CPE)range: < 3.9.3-150400.10.14.1
- (no CPE)range: < 3.9.3-150400.10.14.1
- (no CPE)range: < 3.9.3-150400.10.14.1
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-gfw2-4jvh-wgfgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-47627ghsaADVISORY
- github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3dghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/releases/tag/v3.8.6ghsaWEB
- github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfgghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-246.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2025/02/msg00002.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6UghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQYQL6WV535EEKSNH7KRARLLMOW5WXDMghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQYQL6WV535EEKSNH7KRARLLMOW5WXDM/mitre
News mentions
0No linked articles in our index yet.