CVE-2023-37276

Summary

CVE-2023-37276 impacts the aiohttp library before version 3.8.5. This asynchronous HTTP framework for Python and asyncio contains a vulnerability in the llhttp HTTP request parser used by aiohttp as a default when installed from a wheel. This issue, affecting only aiohttp as an HTTP server, can lead to HTTP request smuggling by misinterpreting HTTP header values in crafted requests. Users are advised to upgrade to version 3.8.5 or disable the llhttp HTTP request parser by setting `AIOHTTP_NO_EXTENSIONS=1` as an environment variable when installing. The pure Python implementation of aiohttp remains unaffected.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.