We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-52304

aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions



Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.

Reserved 2024-11-06 | Published 2024-11-18 | Updated 2024-11-21 | Assigner GitHub_M


MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Product status

< 3.10.11
affected

References

github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr

github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

cve.org (CVE-2024-52304)

nvd.nist.gov (CVE-2024-52304)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-52304

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.