CVE-2023-37276

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Jul 19, 2023

Updated: Nov 22, 2023

CWE ID 444

Summary

CVE-2023-37276 impacts the aiohttp library before version 3.8.5. This asynchronous HTTP framework for Python and asyncio contains a vulnerability in the llhttp HTTP request parser used by aiohttp as a default when installed from a wheel. This issue, affecting only aiohttp as an HTTP server, can lead to HTTP request smuggling by misinterpreting HTTP header values in crafted requests. Users are advised to upgrade to version 3.8.5 or disable the llhttp HTTP request parser by setting `AIOHTTP_NO_EXTENSIONS=1` as an environment variable when installing. The pure Python implementation of aiohttp remains unaffected.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

aiohttp

Advisories, Assessments, and Mitigations

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2023-37276 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future

Gain complete coverage of your cyber, third party, and physical attack surface
Proactively mitigate threats before they turn into costly attacks
Make fast, effective, data-driven decisions

Book your demo

Sign in

Back to Vulnerability Database