CVE-2023-37276
Published: 19 July 2023
Summary
CVE-2023-37276 is a medium-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Aiohttp Aiohttp. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.8.4 and earlier bundle llhttp v6.0.6, and the vulnerable llhttp-based HTTP request parser is enabled by default when the package is installed from a wheel. The flaw affects only deployments that use aiohttp as an HTTP server via aiohttp.Application; client-side usage through aiohttp.ClientSession is unaffected. A crafted HTTP request can cause the server to misinterpret a header value, resulting in HTTP request smuggling (CWE-444) with a CVSS 3.1 score of 5.3.
An unauthenticated network attacker can send the malicious request to trigger the parser inconsistency. Successful exploitation allows the attacker to smuggle a second request past the server’s intended boundaries, achieving limited integrity impact without requiring user interaction or privileges.
The issue is fixed in aiohttp 3.8.5. The project advisory recommends upgrading; users who cannot upgrade may reinstall the package with the environment variable AIOHTTP_NO_EXTENSIONS=1 set, which disables the llhttp extension and falls back to the non-vulnerable pure-Python parser. The associated GitHub security advisory and commit reference confirm the scope and remediation steps. The EPSS score has remained flat at 0.0613 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0003
Vulnerability details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing…
more
from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.