MEDIUM

GHSA-8495-4g3g-x7pr

aiohttp allows request smuggling due to incorrect parsing of chunk extensions

Details

### Summary The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiohttp

Introduced in: 0 Fixed in: 3.10.11

Fix pip install --upgrade 'aiohttp>=3.10.11'

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2024-52304 [ADVISORY]
https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71 [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]
https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html [WEB]