Cyber Resilience

CVE-2023-37276

MediumPublic PoC

Published: 19 July 2023

Published
19 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0613 91.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37276 is a medium-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Aiohttp Aiohttp. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.8.4 and earlier bundle llhttp v6.0.6, and the vulnerable llhttp-based HTTP request parser is enabled by default when the package is installed from a wheel. The flaw affects only deployments that use aiohttp as an HTTP server via aiohttp.Application; client-side usage through aiohttp.ClientSession is unaffected. A crafted HTTP request can cause the server to misinterpret a header value, resulting in HTTP request smuggling (CWE-444) with a CVSS 3.1 score of 5.3.

An unauthenticated network attacker can send the malicious request to trigger the parser inconsistency. Successful exploitation allows the attacker to smuggle a second request past the server’s intended boundaries, achieving limited integrity impact without requiring user interaction or privileges.

The issue is fixed in aiohttp 3.8.5. The project advisory recommends upgrading; users who cannot upgrade may reinstall the package with the environment variable AIOHTTP_NO_EXTENSIONS=1 set, which disables the llhttp extension and falls back to the non-vulnerable pure-Python parser. The associated GitHub security advisory and commit reference confirm the scope and remediation steps. The EPSS score has remained flat at 0.0613 with no material increase after disclosure.

EU & UK References

Vulnerability details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing…

more

from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

aiohttp
aiohttp
≤ 3.8.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References