Moderate severityNVD Advisory· Published Nov 30, 2023· Updated Nov 4, 2025
aiohttp's ClientSession is vulnerable to CRLF injection via version
CVE-2023-49081
Description
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aiohttpPyPI | < 3.9.0 | 3.9.0 |
Affected products
14- osv-coords13 versionspkg:apk/chainguard/py3-cassandra-medusapkg:apk/chainguard/py3-cassandra-medusa-compatpkg:apk/wolfi/py3-cassandra-medusapkg:apk/wolfi/py3-cassandra-medusa-compatpkg:pypi/aiohttppkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP1pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP2pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP3pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5
< 0.19.1-r1+ 12 more
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 3.9.0
- (no CPE)range: < 3.8.5-150400.10.8.1
- (no CPE)range: < 3.9.3-2.1
- (no CPE)range: < 3.6.0-150100.3.15.1
- (no CPE)range: < 3.6.0-150100.3.15.1
- (no CPE)range: < 3.6.0-150100.3.15.1
- (no CPE)range: < 3.6.0-150100.3.15.1
- (no CPE)range: < 3.6.0-150100.3.15.1
- (no CPE)range: < 3.8.5-150400.10.8.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-q3qx-c6g2-7pw2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-49081ghsaADVISORY
- gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508eghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013bghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/pull/7835/filesghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-250.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2025/02/msg00002.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3AghsaWEB
News mentions
0No linked articles in our index yet.