Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nZncyLTRqdmgtd2dmZ84AA3K1
AIOHTTP has problems in HTTP parser (the python one, not llhttp)
Summary
The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling.
This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel).
Details
Bug 1: Bad parsing of Content-Length values
Description
RFC 9110 says this:
Content-Length = 1*DIGIT
AIOHTTP does not enforce this rule, presumably because of an incorrect usage of the builtin int constructor. Because the int constructor accepts + and - prefixes, and digit-separating underscores, using int to parse CL values leads AIOHTTP to significant misinterpretation.
Examples
GET / HTTP/1.1\r\n
Content-Length: -0\r\n
\r\n
X
GET / HTTP/1.1\r\n
Content-Length: +0_1\r\n
\r\n
X
Suggested action
Verify that a Content-Length value consists only of ASCII digits before parsing, as the standard requires.
Bug 2: Improper handling of NUL, CR, and LF in header values
Description
RFC 9110 says this:
Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters; a recipient of CR, LF, or NUL within a field value MUST either reject the message or replace each of those characters with SP before further processing or forwarding of that message.
AIOHTTP's HTTP parser does not enforce this rule, and will happily process header values containing these three forbidden characters without replacing them with SP.
Examples
GET / HTTP/1.1\r\n
Header: v\x00alue\r\n
\r\n
GET / HTTP/1.1\r\n
Header: v\ralue\r\n
\r\n
GET / HTTP/1.1\r\n
Header: v\nalue\r\n
\r\n
Suggested action
Reject all messages with NUL, CR, or LF in a header value. The translation to space thing, while technically allowed, does not seem like a good idea to me.
Bug 3: Improper stripping of whitespace before colon in HTTP headers
Description
RFC 9112 says this:
No whitespace is allowed between the field name and colon. In the past, differences in the handling of such whitespace have led to security vulnerabilities in request routing and response handling. A server MUST reject, with a response status code of 400 (Bad Request), any received request message that contains whitespace between a header field name and colon.
AIOHTTP does not enforce this rule, and will simply strip any whitespace before the colon in an HTTP header.
Example
GET / HTTP/1.1\r\n
Content-Length : 1\r\n
\r\n
X
Suggested action
Reject all messages with whitespace before a colon in a header field, as the standard requires.
PoC
Example requests are embedded in the previous section. To reproduce these bugs, start an AIOHTTP server without llhttp (i.e. AIOHTTP_NO_EXTENSIONS=1) and send the requests given in the previous section. (e.g. by printfing into nc)
Impact
Each of these bugs can be used for request smuggling.
Permalink: https://github.com/advisories/GHSA-gfw2-4jvh-wgfgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nZncyLTRqdmgtd2dmZ84AA3K1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 2 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-gfw2-4jvh-wgfg, CVE-2023-47627
References:
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
- https://nvd.nist.gov/vuln/detail/CVE-2023-47627
- https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d
- https://github.com/aio-libs/aiohttp/releases/tag/v3.8.6
- https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-246.yaml
- https://lists.fedoraproject.org/archives/list/[email protected]/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/WQYQL6WV535EEKSNH7KRARLLMOW5WXDM/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U/
- https://github.com/advisories/GHSA-gfw2-4jvh-wgfg
Blast Radius: 25.6
Affected Packages
pypi:aiohttp
Dependent packages: 4,004Dependent repositories: 66,431
Downloads: 107,102,656 last month
Affected Version Ranges: < 3.8.6
Fixed in: 3.8.6
All affected versions: 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.16.6, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.19.0, 0.20.0, 0.20.1, 0.20.2, 0.21.0, 0.21.1, 0.21.2, 0.21.4, 0.21.5, 0.21.6, 0.22.0, 0.22.1, 0.22.2, 0.22.3, 0.22.4, 0.22.5, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5
All unaffected versions: 3.8.6, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5