Advisories for Pypi/Aiohttp package

The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.

A zip bomb can be used to execute a DoS against the aiohttp server.

When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.

Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.

Reading multiple invalid cookies can lead to a logging storm.

Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components.

A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.

The parser allows non-ASCII decimals to be present in the Range header.

The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.

A memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry.

The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

Static routes which contain files with compressed variants (.gz or .br extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.

An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.

A XSS vulnerability exists on index pages for static file handling.

Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.

Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.

Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version.

Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.

Summary llhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities. Details have not been disclosed yet, so refer to llhttp for future information. The issue is resolved by using llhttp 9+ (which is included in aiohttp 3.8.6+).

The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel).

Aiohttp has a security vulnerability regarding the inconsistent interpretation of the http protocol. As we know that HTTP/1.1 is persistent, if we have both Content-Length(CL) and Transfer-Encoding(TE) it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and …

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application), you are not affected by this vulnerability if you are using aiohttp as an …

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.Upgrade your dependency using pip as follows pip install aiohttp.

aiohttp-session contains a Session Fixation vulnerability in the load_session function for RedisStorage that can result in Session Hijacking. This attack appears to be exploitable via any method that allows setting session cookies.