CVE-2023-47627

Request smuggling in aiohttp

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.

aiohttp es un framework cliente/servidor HTTP asíncrono para asyncio y Python. El analizador HTTP en AIOHTTP tiene numerosos problemas con el análisis de encabezados, lo que podría provocar contrabando de solicitudes. Este analizador solo se usa cuando AIOHTTP_NO_EXTENSIONS está habilitado (o no se usa una rueda prediseñada). Estos errores se solucionaron en el commit`d5c12ba89` que se incluyó en la versión 3.8.6. Se recomienda a los usuarios que actualicen. No se conocen workarounds para estos problemas.

An HTTP request smuggling vulnerability was found in aiohttp. Numerous issues with HTTP parsing can allow an attacker to smuggle HTTP requests.

Ben Kallus discovered that AIOHTTP did not correctly parse HTTP headers. A remote attacker could possibly use this issue to perform request smuggling. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. Ivan Novikov discovered that AIOHTTP did not properly validate certain inputs. A remote attacker could possibly use this issue to perform request smuggling. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Complete

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-11-07 CVE Reserved
2023-11-14 CVE Published
2025-02-13 CVE Updated
2025-02-13 First Exploit
2025-08-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (7)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQYQL6WV535EEKSNH7KRARLLMOW5WXDM

URL	Date	SRC
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg	2025-02-13

URL	Date	SRC
https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d	2024-02-05

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-47627	2024-04-23
https://bugzilla.redhat.com/show_bug.cgi?id=2249825	2024-04-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Aiohttp Search vendor "Aiohttp"		Aiohttp Search vendor "Aiohttp" for product "Aiohttp"				< 3.8.6 Search vendor "Aiohttp" for product "Aiohttp" and version " < 3.8.6"		-		Affected