Moderate severityNVD Advisory· Published Nov 29, 2023· Updated Nov 4, 2025
aiohttp's ClientSession is vulnerable to CRLF injection via method
CVE-2023-49082
Description
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aiohttpPyPI | < 3.9.0 | 3.9.0 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/py3-cassandra-medusapkg:apk/chainguard/py3-cassandra-medusa-compatpkg:apk/wolfi/py3-cassandra-medusapkg:apk/wolfi/py3-cassandra-medusa-compatpkg:pypi/aiohttppkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5
< 0.19.1-r1+ 6 more
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 3.9.0
- (no CPE)range: < 3.8.6-150400.10.11.1
- (no CPE)range: < 3.8.6-150400.10.11.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-qvrw-v9rv-5rjxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-49082ghsaADVISORY
- gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44bghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466ghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/pull/7806/filesghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjxghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-251.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2025/02/msg00002.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3AghsaWEB
News mentions
0No linked articles in our index yet.