Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j

The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended.
https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2

Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).

Affected versions of aiohttp are vulnerable to Middleware Cache Pollution. This vulnerability allows attackers to potentially interfere with middleware handling by exploiting cached middleware associated with system routes. The impact includes possible bypassing of security middleware or unintended access to internal routes. The attack vector involves crafting requests that target system routes, causing the middleware cache to store and reuse inappropriate middleware configurations. The vulnerable methods are _build_middlewares and the middleware caching mechanism in web_app.py. To mitigate, upgrade to aiohttp version, which prevents system routes from polluting the middleware cache by excluding SystemRoute instances from caching.

Affected versions of aiohttp are vulnerable to Directory Traversal (CWE-22). This allows attackers to access sensitive files outside the intended directory by exploiting symbolic links with compressed file extensions. The vulnerability exists in the FileResponse class, where stat() is used instead of lstat(), causing the server to follow symlinks when checking for compressed file variants. To mitigate, update aiohttp to include the fix or modify the code to use lstat() and ensure only regular files are served.

Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection.
https://github.com/aio-libs/aiohttp/issues/4818

Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel).
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg

Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions.

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. See CVE-2024-27306.

The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows 
 exceptions during validation that aren't handled consistently with other malformed inputs.

Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks.

Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.
https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w

Aiohttp 3.8.6 updates vendored copy of  'llhttp' to v9.1.3 to include a security fix.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j

The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended.
https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2

Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).

Affected versions of aiohttp are vulnerable to Middleware Cache Pollution. This vulnerability allows attackers to potentially interfere with middleware handling by exploiting cached middleware associated with system routes. The impact includes possible bypassing of security middleware or unintended access to internal routes. The attack vector involves crafting requests that target system routes, causing the middleware cache to store and reuse inappropriate middleware configurations. The vulnerable methods are _build_middlewares and the middleware caching mechanism in web_app.py. To mitigate, upgrade to aiohttp version, which prevents system routes from polluting the middleware cache by excluding SystemRoute instances from caching.

Affected versions of aiohttp are vulnerable to Directory Traversal (CWE-22). This allows attackers to access sensitive files outside the intended directory by exploiting symbolic links with compressed file extensions. The vulnerability exists in the FileResponse class, where stat() is used instead of lstat(), causing the server to follow symlinks when checking for compressed file variants. To mitigate, update aiohttp to include the fix or modify the code to use lstat() and ensure only regular files are served.

Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection.
https://github.com/aio-libs/aiohttp/issues/4818

Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel).
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg

Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions.

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. See CVE-2024-27306.

The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows 
 exceptions during validation that aren't handled consistently with other malformed inputs.

Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks.

Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.
https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w

Aiohttp 3.8.6 updates vendored copy of  'llhttp' to v9.1.3 to include a security fix.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j

The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended.
https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2

Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).

Affected versions of aiohttp are vulnerable to Middleware Cache Pollution. This vulnerability allows attackers to potentially interfere with middleware handling by exploiting cached middleware associated with system routes. The impact includes possible bypassing of security middleware or unintended access to internal routes. The attack vector involves crafting requests that target system routes, causing the middleware cache to store and reuse inappropriate middleware configurations. The vulnerable methods are _build_middlewares and the middleware caching mechanism in web_app.py. To mitigate, upgrade to aiohttp version, which prevents system routes from polluting the middleware cache by excluding SystemRoute instances from caching.

Affected versions of aiohttp are vulnerable to Directory Traversal (CWE-22). This allows attackers to access sensitive files outside the intended directory by exploiting symbolic links with compressed file extensions. The vulnerability exists in the FileResponse class, where stat() is used instead of lstat(), causing the server to follow symlinks when checking for compressed file variants. To mitigate, update aiohttp to include the fix or modify the code to use lstat() and ensure only regular files are served.

Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection.
https://github.com/aio-libs/aiohttp/issues/4818

Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel).
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg

Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions.

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. See CVE-2024-27306.

The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows 
 exceptions during validation that aren't handled consistently with other malformed inputs.

Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks.

Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.
https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w

Aiohttp 3.8.6 updates vendored copy of  'llhttp' to v9.1.3 to include a security fix.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

webargs 5.1.3 fixes race condition between parallel requests when the cache is used. See: CVE-2019-9710.

Affected versions of pyjwt are vulnerable to Partial Comparison (CWE-187). This flaw allows attackers to bypass issuer (iss) verification by providing partial matches, potentially granting unauthorized access. The vulnerability arises in the decode method of api_jwt.py, where issuer validation incorrectly treats strings as sequences, leading to partial matches (e.g., "abc" being accepted for "__abc__"). Exploiting this requires crafting JWTs with partially matching iss claims, which is straightforward.

PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j

The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended.
https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2

Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).

Affected versions of aiohttp are vulnerable to Middleware Cache Pollution. This vulnerability allows attackers to potentially interfere with middleware handling by exploiting cached middleware associated with system routes. The impact includes possible bypassing of security middleware or unintended access to internal routes. The attack vector involves crafting requests that target system routes, causing the middleware cache to store and reuse inappropriate middleware configurations. The vulnerable methods are _build_middlewares and the middleware caching mechanism in web_app.py. To mitigate, upgrade to aiohttp version, which prevents system routes from polluting the middleware cache by excluding SystemRoute instances from caching.

Affected versions of aiohttp are vulnerable to Directory Traversal (CWE-22). This allows attackers to access sensitive files outside the intended directory by exploiting symbolic links with compressed file extensions. The vulnerability exists in the FileResponse class, where stat() is used instead of lstat(), causing the server to follow symlinks when checking for compressed file variants. To mitigate, update aiohttp to include the fix or modify the code to use lstat() and ensure only regular files are served.

Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection.
https://github.com/aio-libs/aiohttp/issues/4818

Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel).
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg

Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions.

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. See CVE-2024-27306.

The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows 
 exceptions during validation that aren't handled consistently with other malformed inputs.

Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks.

Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.
https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w

Aiohttp 3.8.6 updates vendored copy of  'llhttp' to v9.1.3 to include a security fix.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9