LOW

GHSA-m6qw-4cw2-hm4m

aiohttp: CRLF injection in multipart headers

상세

### Summary

Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar.

### Impact

In the unlikely situation that an application is passing user-controlled strings into `MultipartWriter.append(headers=...)` or `Payload.headers`, then an attacker may be able to modify the request to inject headers or change the contents of the request.

### Workaround

Sanitise such user input.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / aiohttp

최초 영향 버전: 0 수정 버전: 3.14.0

수정 pip install --upgrade 'aiohttp>=3.14.0'

참고

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m6qw-4cw2-hm4m [WEB]
https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8 [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]