Moderate severityNVD Advisory· Published Nov 30, 2023· Updated Nov 4, 2025
aiohttp's ClientSession is vulnerable to CRLF injection via version
CVE-2023-49081
Description
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aiohttpPyPI | < 3.9.0 | 3.9.0 |
Affected products
1Patches
11e86b777e61cDisallow arbitrary sequence types in version (#7835)
3 files changed · +20 −5
aiohttp/client_reqrep.py+2 −2 modified@@ -644,8 +644,8 @@ async def send(self, conn: "Connection") -> "ClientResponse": self.headers[hdrs.CONNECTION] = connection # status + headers - status_line = "{0} {1} HTTP/{2[0]}.{2[1]}".format( - self.method, path, self.version + status_line = "{0} {1} HTTP/{v.major}.{v.minor}".format( + self.method, path, v=self.version ) await writer.write_headers(status_line, self.headers)
CHANGES/7835.bugfix+1 −0 added@@ -0,0 +1 @@ +Fixed arbitrary sequence types being allowed to inject headers via version parameter -- by :user:`Dreamsorcerer`
tests/test_client_request.py+17 −3 modified@@ -20,6 +20,7 @@ Fingerprint, _gen_default_accept_encoding, ) +from aiohttp.http import HttpVersion from aiohttp.test_utils import make_mocked_coro @@ -590,18 +591,18 @@ async def test_connection_header(loop: Any, conn: Any) -> None: req.headers.clear() req.keep_alive.return_value = True - req.version = (1, 1) + req.version = HttpVersion(1, 1) req.headers.clear() await req.send(conn) assert req.headers.get("CONNECTION") is None - req.version = (1, 0) + req.version = HttpVersion(1, 0) req.headers.clear() await req.send(conn) assert req.headers.get("CONNECTION") == "keep-alive" req.keep_alive.return_value = False - req.version = (1, 1) + req.version = HttpVersion(1, 1) req.headers.clear() await req.send(conn) assert req.headers.get("CONNECTION") == "close" @@ -1112,6 +1113,19 @@ async def gen(): resp.close() +async def test_bad_version(loop: Any, conn: Any) -> None: + req = ClientRequest( + "GET", + URL("http://python.org"), + loop=loop, + headers={"Connection": "Close"}, + version=("1", "1\r\nInjected-Header: not allowed"), + ) + + with pytest.raises(AttributeError): + await req.send(conn) + + async def test_custom_response_class(loop: Any, conn: Any) -> None: class CustomResponse(ClientResponse): def read(self, decode=False):
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-q3qx-c6g2-7pw2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-49081ghsaADVISORY
- gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508eghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013bghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/pull/7835/filesghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-250.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2025/02/msg00002.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3AghsaWEB
News mentions
0No linked articles in our index yet.