—

PYSEC-2023-120

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

Details

### Impact

aiohttp v3.8.4 and earlier are [bundled with llhttp v6.0.6](https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules) which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.

This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`).

### Reproducer

```python from aiohttp import web

async def example(request: web.Request): headers = dict(request.headers) body = await request.content.read() return web.Response(text=f"headers: {headers} body: {body}")

app = web.Application() app.add_routes([web.post('/', example)]) web.run_app(app) ```

Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.

```console $ printf "POST / HTTP/1.1\r\nHost: localhost:8080\r\nX-Abc: \rxTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\n0\r\n\r\n" \ | nc localhost 8080

Expected output: headers: {'Host': 'localhost:8080', 'X-Abc': '\rxTransfer-Encoding: chunked'} body: b''

Actual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently) headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A' ```

### Patches

Upgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: [`pip install aiohttp >= 3.8.5`](https://pypi.org/project/aiohttp/3.8.5/)

### Workarounds

If you aren't able to upgrade you can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling:

```console $ python -m pip uninstall --yes aiohttp $ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp ```

### References

* https://nvd.nist.gov/vuln/detail/CVE-2023-30589 * https://hackerone.com/reports/2001873

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiohttp

Introduced in: 0 Fixed in: 3.8.5

Fix pip install --upgrade 'aiohttp>=3.8.5'

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w [ADVISORY]
https://nvd.nist.gov/vuln/detail/CVE-2023-37276 [ADVISORY]
https://github.com/aio-libs/aiohttp [PACKAGE]
https://hackerone.com/reports/2001873 [WEB]