Cyber Resilience

CVE-2024-23829

MediumPublic PoC

Published: 29 January 2024

Published
29 January 2024
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
EPSS Score 0.0047 65.2th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23829 is a medium-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Aiohttp Aiohttp. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 34.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to…

more

protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

aiohttp
aiohttp
≤ 3.9.2
fedoraproject
fedora
39

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References