CVE-2024-23829
Request Smuggling vulnerability in aiohttp (PyPI)
What is CVE-2024-23829 About?
This vulnerability in the Python HTTP parser (specifically aiohttp when run without llhttp) is caused by minor differences in allowable character sets and inconsistent error handling. Attackers can leverage this to inject additional HTTP requests via request smuggling, especially when behind a proxy. It could also lead to excessive resource consumption due to unhandled exceptions from malformed input.
Affected Software
Technical Details
The vulnerability in the Python HTTP parser (affecting aiohttp without llhttp) stems from several issues. Firstly, a regular expression for HTTP version (HTTP/(\d).(\d)) improperly interpreted the dot, allowing any Unicode character instead of a literal dot, making HTTP/1ö1 valid. Secondly, HTTP version parsing permitted Unicode digits, violating standards that require ASCII. Thirdly, distinct regexes for method and header names were used instead of the common rfc9110 token restrictions. These discrepancies mean the parser is more lenient than internet standards, leading to a mismatch in how proxies and the application interpret frame boundaries. This can enable request smuggling (e.g., GET / : HTTP/1.1) and malformed inputs (e.g., Content-Encoding?: chunked) can trigger unhandled exceptions, causing resource exhaustion.
What is the Impact of CVE-2024-23829?
Successful exploitation may allow attackers to perform request smuggling, bypass security controls, cause denial of service due to resource exhaustion, or bypass caching mechanisms.
What is the Exploitability of CVE-2024-23829?
Exploitation primarily concerns running an aiohttp server without llhttp, especially when deployed behind a proxy. An attacker needs to craft specific malformed HTTP requests that exploit the parser's leniency. This is a remote vulnerability, and typically no authentication is required as it targets the HTTP parsing layer. The complexity is moderate, requiring an understanding of HTTP protocol nuances and how different parsers handle invalid input. The presence of upstream proxies that forward malformed input or a lenient HTTP parser increases the likelihood of successful request smuggling or denial-of-service attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-23829?
About the Fix from Resolved Security
Available Upgrade Options
- aiohttp
- <3.9.2 → Upgrade to 3.9.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
- https://github.com/aio-libs/aiohttp/pull/8074
- https://github.com/aio-libs/aiohttp/pull/8074
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7
- https://github.com/aio-libs/aiohttp/pull/3235
- https://github.com/aio-libs/aiohttp/pull/8074/files
- https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827
What are Similar Vulnerabilities to CVE-2024-23829?
Similar Vulnerabilities: CVE-2023-45803 , CVE-2021-32724 , CVE-2021-39139 , CVE-2020-1971 , CVE-2019-17075
