CVE-2023-37276
HTTP Request Smuggling vulnerability in aiohttp (PyPI)
What is CVE-2023-37276 About?
This vulnerability in aiohttp allows for HTTP request smuggling when used as an HTTP server, due to its bundled vulnerable `llhttp` parser. An attacker can manipulate HTTP header parsing by sending a crafted HTTP request. This vulnerability is moderately difficult to exploit and can lead to various attacks, including cache poisoning or bypassing security controls.
Affected Software
Technical Details
The vulnerability exists because aiohttp v3.8.4 and earlier versions bundle llhttp v6.0.6, which is susceptible to CVE-2023-30589. When aiohttp acts as an HTTP server, it uses this vulnerable llhttp parser by default. A crafted HTTP request, specifically one that includes ambiguous Content-Length and Transfer-Encoding headers or malformed header values, can cause the server to misinterpret the boundaries of HTTP requests. The llhttp parser's incorrect handling of such inputs, particularly a (carriage return) within a header value (X-Abc: xTransfer-Encoding: chunked), leads to it splitting a single header into multiple, different headers from its perspective. This can result in the HTTP server interpreting parts of one request as the beginning of a subsequent request, enabling HTTP request smuggling.
What is the Impact of CVE-2023-37276?
Successful exploitation may allow attackers to bypass security controls, poison web caches, gain unauthorized access to internal services, or conduct other targeted attacks against users sharing the same connection.
What is the Exploitability of CVE-2023-37276?
Exploitation requires crafting a specific HTTP request that exploits the parser's logic, which involves a moderate level of complexity and understanding of HTTP protocol nuances. No authentication is typically required, as the attack targets the parsing of initial HTTP requests. No special privileges are needed. The attack is remote, and the prerequisites include the target application running aiohttp as an HTTP server with the vulnerable llhttp parser enabled. The risk factors for exploitation include public exposure of the server and the attacker's ability to send precisely malformed HTTP requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-37276?
Available Upgrade Options
- aiohttp
- <3.8.5 → Upgrade to 3.8.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/aio-libs/aiohttp
- https://hackerone.com/reports/2001873
- https://osv.dev/vulnerability/PYSEC-2023-120
- https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
- https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
- https://github.com/aio-libs/aiohttp/commit/9c13a52c21c23dfdb49ed89418d28a5b116d0681
- https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40
What are Similar Vulnerabilities to CVE-2023-37276?
Similar Vulnerabilities: CVE-2023-30589 , CVE-2022-29210 , CVE-2021-39181 , CVE-2020-1971 , CVE-2019-17595
