aiohttp 3.9.2 vulnerabilities

Known vulnerabilities in the aiohttp package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M HTTP Request Smuggling Affected versions of this package are vulnerable to HTTP Request Smuggling due to incorrect parsing of newlines in chunk extensions via the `feed_data` function. An attacker can bypass firewall or proxy protections by sending specially crafted requests. Note: Exploiting this vulnerability is possible when a pure Python version of aiohttp is installed (Without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled. How to fix HTTP Request Smuggling? Upgrade `aiohttp` to version 3.10.11 or higher.	[,3.10.11)
M UNIX Symbolic Link (Symlink) Following Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following through the `FileResponse` class due to improper validation for compressed variants. An attacker can access files outside the intended directory by manipulating symbolic links to point to restricted areas by performing `Path.stat()` and `Path.open()` to send the file. Note This vulnerability impacts servers with static routes that contain compressed variants as symbolic links pointing outside the root directory or that permit users to upload or create such links. How to fix UNIX Symbolic Link (Symlink) Following? Upgrade `aiohttp` to version 3.10.2 or higher.	[,3.10.2)
H Infinite loop Affected versions of this package are vulnerable to Infinite loop when processing a `multipart/form-data` POST request with malicious `CONTENT_DISPOSITION` values. An attacker can cause the server to deny all other requests while stuck in the loop. How to fix Infinite loop? Upgrade `aiohttp` to version 3.9.4 or higher.	[,3.9.4)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper handling of index pages for static file serving when `show_index` is set to `True`. If users have the ability to upload files with arbitrary filenames to the static directory, an attacker can inject malicious scripts that will be executed in the context of the victim's browser session by crafting a file name that includes executable script content. Note: This is only exploitable if the server is configured to allow users to upload files to the static directory and `show_index` is enabled. How to fix Cross-site Scripting (XSS)? Upgrade `aiohttp` to version 3.9.4 or higher.	[,3.9.4)

Vulnerability

Vulnerable Version

HTTP Request Smuggling

Affected versions of this package are vulnerable to HTTP Request Smuggling due to incorrect parsing of newlines in chunk extensions via the feed_data function. An attacker can bypass firewall or proxy protections by sending specially crafted requests.

Note:

Exploiting this vulnerability is possible when a pure Python version of aiohttp is installed (Without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled.

How to fix HTTP Request Smuggling?

Upgrade aiohttp to version 3.10.11 or higher.

[,3.10.11)

UNIX Symbolic Link (Symlink) Following

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following through the FileResponse class due to improper validation for compressed variants. An attacker can access files outside the intended directory by manipulating symbolic links to point to restricted areas by performing Path.stat() and Path.open() to send the file.

Note

This vulnerability impacts servers with static routes that contain compressed variants as symbolic links pointing outside the root directory or that permit users to upload or create such links.

How to fix UNIX Symbolic Link (Symlink) Following?

Upgrade aiohttp to version 3.10.2 or higher.

[,3.10.2)

Infinite loop

Affected versions of this package are vulnerable to Infinite loop when processing a multipart/form-data POST request with malicious CONTENT_DISPOSITION values. An attacker can cause the server to deny all other requests while stuck in the loop.

How to fix Infinite loop?

Upgrade aiohttp to version 3.9.4 or higher.

[,3.9.4)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper handling of index pages for static file serving when show_index is set to True. If users have the ability to upload files with arbitrary filenames to the static directory, an attacker can inject malicious scripts that will be executed in the context of the victim's browser session by crafting a file name that includes executable script content.

Note:

This is only exploitable if the server is configured to allow users to upload files to the static directory and show_index is enabled.

How to fix Cross-site Scripting (XSS)?

Upgrade aiohttp to version 3.9.4 or higher.

[,3.9.4)

aiohttp@3.9.2 vulnerabilities

Async http client/server framework (asyncio)

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?