pyup-update-typing-extensions-4.8.0-to-4.9.0
2 years, 4 months ago
Update typing-extensions from 4.8.0 to 4.9.0
No dependencies with known security vulnerabilities.
master
2 years, 4 months ago
Python socks has an asyncio timeout dep
No dependencies with known security vulnerabilities.
pyup-update-python-socks-2.4.3-to-2.4.4
2 years, 4 months ago
Update python-socks from 2.4.3 to 2.4.4
No dependencies with known security vulnerabilities.
pyup-update-yarl-1.9.3-to-1.9.4
2 years, 4 months ago
Update yarl from 1.9.3 to 1.9.4
No dependencies with known security vulnerabilities.
master
2 years, 4 months ago
Update urllib3 from 2.0.7 to 2.1.0 (#514)
Co-authored-by: vEpiphyte <epiphyte@vertex.link>
No dependencies with known security vulnerabilities.
pyup-update-urllib3-2.0.7-to-2.1.0
2 years, 4 months ago
Merge branch 'master' into pyup-update-urllib3-2.0.7-to-2.1.0
No dependencies with known security vulnerabilities.
master
2 years, 4 months ago
Remove asyncio-timeout
No dependencies with known security vulnerabilities.
master
2 years, 4 months ago
Update aiohttp from 3.8.6 to 3.9.1 (#535)
Co-authored-by: vEpiphyte <epiphyte@vertex.link>
No dependencies with known security vulnerabilities.
pyup-update-aiohttp-3.8.6-to-3.9.1
2 years, 4 months ago
Merge branch 'master' into pyup-update-aiohttp-3.8.6-to-3.9.1
No dependencies with known security vulnerabilities.
master
2 years, 4 months ago
Update tornado from 6.3.3 to 6.4 (#537)
Co-authored-by: vEpiphyte <epiphyte@vertex.link>
aiohttp 3.8.6 has known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| aiohttp | 3.8.6 | >=1.1.0,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
| aiohttp | 3.8.6 | >=0.21.0,<3.9.4 |
show Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions. |
| aiohttp | 3.8.6 | <3.13.4 |
show Affected versions of the aiohttp package are vulnerable to HTTP Request Smuggling due to the acceptance of duplicate Host headers in incoming HTTP requests. The C extension HTTP parser failed to reject duplicate singleton headers such as Host, Content-Type, and Content-Length, creating parser differentials between the C and pure-Python implementations that could lead to inconsistent request interpretation. An attacker could send a crafted HTTP request containing multiple Host headers to bypass host-based access controls or poison routing decisions in upstream proxies and intermediaries. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to the default C parser (llhttp) accepting null bytes and control characters in response header values. Specifically, the parser fails to neutralise CRLF sequences and other control characters before including them in outgoing HTTP headers, which means methods such as request.url.origin() may return values that differ from the raw Host header or from what a reverse proxy interpreted. An attacker can craft malicious response headers containing embedded control characters to trigger inconsistent header interpretation, potentially leading to a Security Bypass. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to improper neutralisation of carriage return characters in the reason phrase of HTTP responses. The Response class does not sanitise the reason parameter, allowing injection of CRLF sequences that can manipulate outgoing HTTP headers. An attacker who controls the reason parameter can inject arbitrary headers into the HTTP response, potentially enabling cache poisoning or response manipulation. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects. When following a redirect to a different origin, the library correctly strips the Authorization header but fails to remove the Cookie and Proxy-Authorization headers, allowing them to be forwarded to the unintended destination. An attacker controlling or observing the redirect target can capture these leaked credentials and session tokens, potentially gaining unauthorised access to user accounts or upstream proxies. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service due to late enforcement of the client_max_size limit on non-file multipart form fields. When an application uses Request.post() to parse multipart data, the entire field content is read into memory before the size check is applied, allowing oversized payloads to cause significant temporary memory allocation. An attacker can exploit this by sending specially crafted multipart requests to exhaust server memory and degrade service availability. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service due to insufficient size restrictions on multipart headers. Multipart headers were not subject to the same memory limits enforced for standard HTTP headers, allowing an attacker to send a response containing an excessive number of multipart headers that consume significantly more memory than intended. An attacker could exploit this by crafting a specially formed multipart response to exhaust server memory resources, potentially degrading or disrupting service availability. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Server-Side Request Forgery (SSRF) and Information Disclosure due to insufficient path validation in the static resource handler on Windows. The static file serving component fails to properly neutralise UNC path sequences, allowing crafted requests to trigger outbound connections to attacker-controlled SMB servers and leak NTLMv2 credential hashes. An attacker can exploit this by sending a specially crafted request that references a remote UNC path, exposing hashed user credentials and enabling the attacker to read local files on the host system. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to CRLF Injection due to insufficient sanitization of the content_type parameter during multipart request header construction. An attacker who controls the content_type value passed to a multipart part can embed carriage-return and line-feed characters, allowing arbitrary HTTP headers to be injected into the outgoing request. This can be exploited to manipulate request semantics and perform HTTP Request Splitting when untrusted data is used for the multipart content type. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to an unbounded DNS cache in TCPConnector that grows without limit. When an application issues requests to a large number of distinct hosts, the internal DNS resolution cache accumulates entries indefinitely because no maximum size or eviction policy is enforced. An attacker capable of triggering requests to many unique hostnames can cause steadily increasing memory consumption, ultimately degrading or exhausting available resources on the host system. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of aiohttp are vulnerable to Uncontrolled Resource Consumption due to insufficient restrictions in header and trailer handling. The vulnerability is in header/trailer handling, where unlimited trailer headers can be processed and cause uncapped memory usage. An attacker can trigger memory exhaustion by sending an attacker-controlled request or response, resulting in reduced availability of the affected service. |
| aiohttp | 3.8.6 | <3.9.0 |
show Affected versions of `aiohttp` are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to unbounded decompression of highly compressed HTTP request bodies when the HTTP parser auto_decompress feature is enabled. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive warning-level logging when parsing invalid Cookie headers. When server code accesses aiohttp.web_request.Request.cookies, the aiohttp._cookie_helpers.parse_cookie_header() function validates cookie names and can emit a log entry for each illegal cookie name, enabling a single request to generate a large number of warning logs. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to improper enforcement of request size limits during multipart form parsing. The aiohttp aiohttp.web_request.Request.post() method in aiohttp/web_request.py iterates over multipart fields but (prior to the fix) resets its running byte counter per part rather than tracking the total size of the entire multipart form, allowing the aggregate payload to grow without being bounded by client_max_size. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Information Disclosure due to static-file path normalisation enabling inference of absolute path component existence. In aiohttp, applications that register a static route via aiohttp.web.static() may expose filesystem path information because the static handler’s normalization and response behaviour lets a requester distinguish which absolute path components exist. |
| aiohttp | 3.8.6 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
| aiohttp | 3.8.6 | >=2.0.0rc1,<3.9.0 , >=4.0.0a0,<=4.0.0a1 |
show Affected versions of the `aiohttp` package are vulnerable to Improper Input Validation due to insufficient checks on the HTTP version of incoming requests. The vulnerability arises because the HTTP request handling mechanism does not adequately validate the HTTP version, allowing manipulation if controlled by an attacker. An attacker with the ability to influence the HTTP version can exploit this flaw to inject new headers or craft entirely new HTTP requests, potentially leading to unauthorized actions or data exposure. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive blocking CPU usage when processing a large number of HTTP chunked messages. When an aiohttp server endpoint calls request.read(), the chunked body handling performs costly per-chunk processing that can consume a moderate amount of blocking CPU time (for example, around one second) when the request contains an unusually large number of chunks. |
| aiohttp | 3.8.6 | >=2.0.0rc1,<3.10.11 |
show Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks. |
| aiohttp | 3.8.6 | >=1.0.0,<3.9.4 , >=4.0.0a0,<=4.0.0a1 |
show Affected versions of the `aiohttp` package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user input on index pages for static file handling. The vulnerability exists because the `show_index` option, when enabled, allows unsanitized user input to be rendered directly into the HTML content of directory listings. An attacker can exploit this vulnerability by crafting a malicious URL that, when accessed, executes arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking or data theft. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to relying on Python assert statements for malformed request handling, which are removed when interpreter optimizations are enabled. The aiohttp.web_request.Request.post() method can trigger an infinite loop in multipart POST body processing because assertions in multipart parsing paths, such as aiohttp.multipart.BodyPartReader.read_chunk() and _read_chunk_from_stream() are bypassed, preventing the code from enforcing an exit condition on invalid EOF and boundary states. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to Unicode digit matching in the Range header parser. In aiohttp.web_request.BaseRequest.http_range, the Range header is parsed with the regular expression ^bytes=(\d*)-(\d*)$ via re.findall(...) without restricting \d to ASCII, which allows non-ASCII decimal characters to be accepted as valid byte-range values. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to inconsistent Unicode processing of non-ASCII HTTP header values. In the pure-Python HTTP parser (used when the C extensions are not installed or when AIOHTTP_NO_EXTENSIONS is enabled), aiohttp.http_parser.parse_headers() and helpers such as _is_supported_upgrade() and HttpParser._is_chunked_te() apply .lower() to Upgrade, Transfer-Encoding, and Content-Encoding values without first enforcing ASCII-only input, allowing certain non-ASCII characters to be transformed during case-folding and creating parsing discrepancies. |
| aiohttp | 3.8.6 | <3.12.14 |
show AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. |
pyup-update-tornado-6.3.3-to-6.4
2 years, 4 months ago
Merge branch 'master' into pyup-update-tornado-6.3.3-to-6.4
aiohttp 3.8.6 has known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| aiohttp | 3.8.6 | >=1.1.0,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
| aiohttp | 3.8.6 | >=0.21.0,<3.9.4 |
show Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions. |
| aiohttp | 3.8.6 | <3.13.4 |
show Affected versions of the aiohttp package are vulnerable to HTTP Request Smuggling due to the acceptance of duplicate Host headers in incoming HTTP requests. The C extension HTTP parser failed to reject duplicate singleton headers such as Host, Content-Type, and Content-Length, creating parser differentials between the C and pure-Python implementations that could lead to inconsistent request interpretation. An attacker could send a crafted HTTP request containing multiple Host headers to bypass host-based access controls or poison routing decisions in upstream proxies and intermediaries. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to the default C parser (llhttp) accepting null bytes and control characters in response header values. Specifically, the parser fails to neutralise CRLF sequences and other control characters before including them in outgoing HTTP headers, which means methods such as request.url.origin() may return values that differ from the raw Host header or from what a reverse proxy interpreted. An attacker can craft malicious response headers containing embedded control characters to trigger inconsistent header interpretation, potentially leading to a Security Bypass. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to improper neutralisation of carriage return characters in the reason phrase of HTTP responses. The Response class does not sanitise the reason parameter, allowing injection of CRLF sequences that can manipulate outgoing HTTP headers. An attacker who controls the reason parameter can inject arbitrary headers into the HTTP response, potentially enabling cache poisoning or response manipulation. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects. When following a redirect to a different origin, the library correctly strips the Authorization header but fails to remove the Cookie and Proxy-Authorization headers, allowing them to be forwarded to the unintended destination. An attacker controlling or observing the redirect target can capture these leaked credentials and session tokens, potentially gaining unauthorised access to user accounts or upstream proxies. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service due to late enforcement of the client_max_size limit on non-file multipart form fields. When an application uses Request.post() to parse multipart data, the entire field content is read into memory before the size check is applied, allowing oversized payloads to cause significant temporary memory allocation. An attacker can exploit this by sending specially crafted multipart requests to exhaust server memory and degrade service availability. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service due to insufficient size restrictions on multipart headers. Multipart headers were not subject to the same memory limits enforced for standard HTTP headers, allowing an attacker to send a response containing an excessive number of multipart headers that consume significantly more memory than intended. An attacker could exploit this by crafting a specially formed multipart response to exhaust server memory resources, potentially degrading or disrupting service availability. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Server-Side Request Forgery (SSRF) and Information Disclosure due to insufficient path validation in the static resource handler on Windows. The static file serving component fails to properly neutralise UNC path sequences, allowing crafted requests to trigger outbound connections to attacker-controlled SMB servers and leak NTLMv2 credential hashes. An attacker can exploit this by sending a specially crafted request that references a remote UNC path, exposing hashed user credentials and enabling the attacker to read local files on the host system. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to CRLF Injection due to insufficient sanitization of the content_type parameter during multipart request header construction. An attacker who controls the content_type value passed to a multipart part can embed carriage-return and line-feed characters, allowing arbitrary HTTP headers to be injected into the outgoing request. This can be exploited to manipulate request semantics and perform HTTP Request Splitting when untrusted data is used for the multipart content type. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to an unbounded DNS cache in TCPConnector that grows without limit. When an application issues requests to a large number of distinct hosts, the internal DNS resolution cache accumulates entries indefinitely because no maximum size or eviction policy is enforced. An attacker capable of triggering requests to many unique hostnames can cause steadily increasing memory consumption, ultimately degrading or exhausting available resources on the host system. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of aiohttp are vulnerable to Uncontrolled Resource Consumption due to insufficient restrictions in header and trailer handling. The vulnerability is in header/trailer handling, where unlimited trailer headers can be processed and cause uncapped memory usage. An attacker can trigger memory exhaustion by sending an attacker-controlled request or response, resulting in reduced availability of the affected service. |
| aiohttp | 3.8.6 | <3.9.0 |
show Affected versions of `aiohttp` are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to unbounded decompression of highly compressed HTTP request bodies when the HTTP parser auto_decompress feature is enabled. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive warning-level logging when parsing invalid Cookie headers. When server code accesses aiohttp.web_request.Request.cookies, the aiohttp._cookie_helpers.parse_cookie_header() function validates cookie names and can emit a log entry for each illegal cookie name, enabling a single request to generate a large number of warning logs. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to improper enforcement of request size limits during multipart form parsing. The aiohttp aiohttp.web_request.Request.post() method in aiohttp/web_request.py iterates over multipart fields but (prior to the fix) resets its running byte counter per part rather than tracking the total size of the entire multipart form, allowing the aggregate payload to grow without being bounded by client_max_size. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Information Disclosure due to static-file path normalisation enabling inference of absolute path component existence. In aiohttp, applications that register a static route via aiohttp.web.static() may expose filesystem path information because the static handler’s normalization and response behaviour lets a requester distinguish which absolute path components exist. |
| aiohttp | 3.8.6 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
| aiohttp | 3.8.6 | >=2.0.0rc1,<3.9.0 , >=4.0.0a0,<=4.0.0a1 |
show Affected versions of the `aiohttp` package are vulnerable to Improper Input Validation due to insufficient checks on the HTTP version of incoming requests. The vulnerability arises because the HTTP request handling mechanism does not adequately validate the HTTP version, allowing manipulation if controlled by an attacker. An attacker with the ability to influence the HTTP version can exploit this flaw to inject new headers or craft entirely new HTTP requests, potentially leading to unauthorized actions or data exposure. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive blocking CPU usage when processing a large number of HTTP chunked messages. When an aiohttp server endpoint calls request.read(), the chunked body handling performs costly per-chunk processing that can consume a moderate amount of blocking CPU time (for example, around one second) when the request contains an unusually large number of chunks. |
| aiohttp | 3.8.6 | >=2.0.0rc1,<3.10.11 |
show Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks. |
| aiohttp | 3.8.6 | >=1.0.0,<3.9.4 , >=4.0.0a0,<=4.0.0a1 |
show Affected versions of the `aiohttp` package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user input on index pages for static file handling. The vulnerability exists because the `show_index` option, when enabled, allows unsanitized user input to be rendered directly into the HTML content of directory listings. An attacker can exploit this vulnerability by crafting a malicious URL that, when accessed, executes arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking or data theft. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to relying on Python assert statements for malformed request handling, which are removed when interpreter optimizations are enabled. The aiohttp.web_request.Request.post() method can trigger an infinite loop in multipart POST body processing because assertions in multipart parsing paths, such as aiohttp.multipart.BodyPartReader.read_chunk() and _read_chunk_from_stream() are bypassed, preventing the code from enforcing an exit condition on invalid EOF and boundary states. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to Unicode digit matching in the Range header parser. In aiohttp.web_request.BaseRequest.http_range, the Range header is parsed with the regular expression ^bytes=(\d*)-(\d*)$ via re.findall(...) without restricting \d to ASCII, which allows non-ASCII decimal characters to be accepted as valid byte-range values. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to inconsistent Unicode processing of non-ASCII HTTP header values. In the pure-Python HTTP parser (used when the C extensions are not installed or when AIOHTTP_NO_EXTENSIONS is enabled), aiohttp.http_parser.parse_headers() and helpers such as _is_supported_upgrade() and HttpParser._is_chunked_te() apply .lower() to Upgrade, Transfer-Encoding, and Content-Encoding values without first enforcing ASCII-only input, allowing certain non-ASCII characters to be transformed during case-folding and creating parsing discrepancies. |
| aiohttp | 3.8.6 | <3.12.14 |
show AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. |
master
2 years, 4 months ago
Update requests-cache from 1.1.0 to 1.1.1 (#525)
aiohttp 3.8.6 has known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| aiohttp | 3.8.6 | >=1.1.0,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
| aiohttp | 3.8.6 | >=0.21.0,<3.9.4 |
show Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions. |
| aiohttp | 3.8.6 | <3.13.4 |
show Affected versions of the aiohttp package are vulnerable to HTTP Request Smuggling due to the acceptance of duplicate Host headers in incoming HTTP requests. The C extension HTTP parser failed to reject duplicate singleton headers such as Host, Content-Type, and Content-Length, creating parser differentials between the C and pure-Python implementations that could lead to inconsistent request interpretation. An attacker could send a crafted HTTP request containing multiple Host headers to bypass host-based access controls or poison routing decisions in upstream proxies and intermediaries. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to the default C parser (llhttp) accepting null bytes and control characters in response header values. Specifically, the parser fails to neutralise CRLF sequences and other control characters before including them in outgoing HTTP headers, which means methods such as request.url.origin() may return values that differ from the raw Host header or from what a reverse proxy interpreted. An attacker can craft malicious response headers containing embedded control characters to trigger inconsistent header interpretation, potentially leading to a Security Bypass. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to improper neutralisation of carriage return characters in the reason phrase of HTTP responses. The Response class does not sanitise the reason parameter, allowing injection of CRLF sequences that can manipulate outgoing HTTP headers. An attacker who controls the reason parameter can inject arbitrary headers into the HTTP response, potentially enabling cache poisoning or response manipulation. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects. When following a redirect to a different origin, the library correctly strips the Authorization header but fails to remove the Cookie and Proxy-Authorization headers, allowing them to be forwarded to the unintended destination. An attacker controlling or observing the redirect target can capture these leaked credentials and session tokens, potentially gaining unauthorised access to user accounts or upstream proxies. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service due to late enforcement of the client_max_size limit on non-file multipart form fields. When an application uses Request.post() to parse multipart data, the entire field content is read into memory before the size check is applied, allowing oversized payloads to cause significant temporary memory allocation. An attacker can exploit this by sending specially crafted multipart requests to exhaust server memory and degrade service availability. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service due to insufficient size restrictions on multipart headers. Multipart headers were not subject to the same memory limits enforced for standard HTTP headers, allowing an attacker to send a response containing an excessive number of multipart headers that consume significantly more memory than intended. An attacker could exploit this by crafting a specially formed multipart response to exhaust server memory resources, potentially degrading or disrupting service availability. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Server-Side Request Forgery (SSRF) and Information Disclosure due to insufficient path validation in the static resource handler on Windows. The static file serving component fails to properly neutralise UNC path sequences, allowing crafted requests to trigger outbound connections to attacker-controlled SMB servers and leak NTLMv2 credential hashes. An attacker can exploit this by sending a specially crafted request that references a remote UNC path, exposing hashed user credentials and enabling the attacker to read local files on the host system. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to CRLF Injection due to insufficient sanitization of the content_type parameter during multipart request header construction. An attacker who controls the content_type value passed to a multipart part can embed carriage-return and line-feed characters, allowing arbitrary HTTP headers to be injected into the outgoing request. This can be exploited to manipulate request semantics and perform HTTP Request Splitting when untrusted data is used for the multipart content type. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to an unbounded DNS cache in TCPConnector that grows without limit. When an application issues requests to a large number of distinct hosts, the internal DNS resolution cache accumulates entries indefinitely because no maximum size or eviction policy is enforced. An attacker capable of triggering requests to many unique hostnames can cause steadily increasing memory consumption, ultimately degrading or exhausting available resources on the host system. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of aiohttp are vulnerable to Uncontrolled Resource Consumption due to insufficient restrictions in header and trailer handling. The vulnerability is in header/trailer handling, where unlimited trailer headers can be processed and cause uncapped memory usage. An attacker can trigger memory exhaustion by sending an attacker-controlled request or response, resulting in reduced availability of the affected service. |
| aiohttp | 3.8.6 | <3.9.0 |
show Affected versions of `aiohttp` are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to unbounded decompression of highly compressed HTTP request bodies when the HTTP parser auto_decompress feature is enabled. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive warning-level logging when parsing invalid Cookie headers. When server code accesses aiohttp.web_request.Request.cookies, the aiohttp._cookie_helpers.parse_cookie_header() function validates cookie names and can emit a log entry for each illegal cookie name, enabling a single request to generate a large number of warning logs. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to improper enforcement of request size limits during multipart form parsing. The aiohttp aiohttp.web_request.Request.post() method in aiohttp/web_request.py iterates over multipart fields but (prior to the fix) resets its running byte counter per part rather than tracking the total size of the entire multipart form, allowing the aggregate payload to grow without being bounded by client_max_size. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Information Disclosure due to static-file path normalisation enabling inference of absolute path component existence. In aiohttp, applications that register a static route via aiohttp.web.static() may expose filesystem path information because the static handler’s normalization and response behaviour lets a requester distinguish which absolute path components exist. |
| aiohttp | 3.8.6 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
| aiohttp | 3.8.6 | >=2.0.0rc1,<3.9.0 , >=4.0.0a0,<=4.0.0a1 |
show Affected versions of the `aiohttp` package are vulnerable to Improper Input Validation due to insufficient checks on the HTTP version of incoming requests. The vulnerability arises because the HTTP request handling mechanism does not adequately validate the HTTP version, allowing manipulation if controlled by an attacker. An attacker with the ability to influence the HTTP version can exploit this flaw to inject new headers or craft entirely new HTTP requests, potentially leading to unauthorized actions or data exposure. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive blocking CPU usage when processing a large number of HTTP chunked messages. When an aiohttp server endpoint calls request.read(), the chunked body handling performs costly per-chunk processing that can consume a moderate amount of blocking CPU time (for example, around one second) when the request contains an unusually large number of chunks. |
| aiohttp | 3.8.6 | >=2.0.0rc1,<3.10.11 |
show Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks. |
| aiohttp | 3.8.6 | >=1.0.0,<3.9.4 , >=4.0.0a0,<=4.0.0a1 |
show Affected versions of the `aiohttp` package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user input on index pages for static file handling. The vulnerability exists because the `show_index` option, when enabled, allows unsanitized user input to be rendered directly into the HTML content of directory listings. An attacker can exploit this vulnerability by crafting a malicious URL that, when accessed, executes arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking or data theft. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to relying on Python assert statements for malformed request handling, which are removed when interpreter optimizations are enabled. The aiohttp.web_request.Request.post() method can trigger an infinite loop in multipart POST body processing because assertions in multipart parsing paths, such as aiohttp.multipart.BodyPartReader.read_chunk() and _read_chunk_from_stream() are bypassed, preventing the code from enforcing an exit condition on invalid EOF and boundary states. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to Unicode digit matching in the Range header parser. In aiohttp.web_request.BaseRequest.http_range, the Range header is parsed with the regular expression ^bytes=(\d*)-(\d*)$ via re.findall(...) without restricting \d to ASCII, which allows non-ASCII decimal characters to be accepted as valid byte-range values. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to inconsistent Unicode processing of non-ASCII HTTP header values. In the pure-Python HTTP parser (used when the C extensions are not installed or when AIOHTTP_NO_EXTENSIONS is enabled), aiohttp.http_parser.parse_headers() and helpers such as _is_supported_upgrade() and HttpParser._is_chunked_te() apply .lower() to Upgrade, Transfer-Encoding, and Content-Encoding values without first enforcing ASCII-only input, allowing certain non-ASCII characters to be transformed during case-folding and creating parsing discrepancies. |
| aiohttp | 3.8.6 | <3.12.14 |
show AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. |
master
2 years, 4 months ago
Update yarl from 1.9.2 to 1.9.3 (#527)
aiohttp 3.8.6 has known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| aiohttp | 3.8.6 | >=1.1.0,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
| aiohttp | 3.8.6 | >=0.21.0,<3.9.4 |
show Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions. |
| aiohttp | 3.8.6 | <3.13.4 |
show Affected versions of the aiohttp package are vulnerable to HTTP Request Smuggling due to the acceptance of duplicate Host headers in incoming HTTP requests. The C extension HTTP parser failed to reject duplicate singleton headers such as Host, Content-Type, and Content-Length, creating parser differentials between the C and pure-Python implementations that could lead to inconsistent request interpretation. An attacker could send a crafted HTTP request containing multiple Host headers to bypass host-based access controls or poison routing decisions in upstream proxies and intermediaries. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to the default C parser (llhttp) accepting null bytes and control characters in response header values. Specifically, the parser fails to neutralise CRLF sequences and other control characters before including them in outgoing HTTP headers, which means methods such as request.url.origin() may return values that differ from the raw Host header or from what a reverse proxy interpreted. An attacker can craft malicious response headers containing embedded control characters to trigger inconsistent header interpretation, potentially leading to a Security Bypass. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to improper neutralisation of carriage return characters in the reason phrase of HTTP responses. The Response class does not sanitise the reason parameter, allowing injection of CRLF sequences that can manipulate outgoing HTTP headers. An attacker who controls the reason parameter can inject arbitrary headers into the HTTP response, potentially enabling cache poisoning or response manipulation. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects. When following a redirect to a different origin, the library correctly strips the Authorization header but fails to remove the Cookie and Proxy-Authorization headers, allowing them to be forwarded to the unintended destination. An attacker controlling or observing the redirect target can capture these leaked credentials and session tokens, potentially gaining unauthorised access to user accounts or upstream proxies. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service due to late enforcement of the client_max_size limit on non-file multipart form fields. When an application uses Request.post() to parse multipart data, the entire field content is read into memory before the size check is applied, allowing oversized payloads to cause significant temporary memory allocation. An attacker can exploit this by sending specially crafted multipart requests to exhaust server memory and degrade service availability. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service due to insufficient size restrictions on multipart headers. Multipart headers were not subject to the same memory limits enforced for standard HTTP headers, allowing an attacker to send a response containing an excessive number of multipart headers that consume significantly more memory than intended. An attacker could exploit this by crafting a specially formed multipart response to exhaust server memory resources, potentially degrading or disrupting service availability. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Server-Side Request Forgery (SSRF) and Information Disclosure due to insufficient path validation in the static resource handler on Windows. The static file serving component fails to properly neutralise UNC path sequences, allowing crafted requests to trigger outbound connections to attacker-controlled SMB servers and leak NTLMv2 credential hashes. An attacker can exploit this by sending a specially crafted request that references a remote UNC path, exposing hashed user credentials and enabling the attacker to read local files on the host system. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to CRLF Injection due to insufficient sanitization of the content_type parameter during multipart request header construction. An attacker who controls the content_type value passed to a multipart part can embed carriage-return and line-feed characters, allowing arbitrary HTTP headers to be injected into the outgoing request. This can be exploited to manipulate request semantics and perform HTTP Request Splitting when untrusted data is used for the multipart content type. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to an unbounded DNS cache in TCPConnector that grows without limit. When an application issues requests to a large number of distinct hosts, the internal DNS resolution cache accumulates entries indefinitely because no maximum size or eviction policy is enforced. An attacker capable of triggering requests to many unique hostnames can cause steadily increasing memory consumption, ultimately degrading or exhausting available resources on the host system. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of aiohttp are vulnerable to Uncontrolled Resource Consumption due to insufficient restrictions in header and trailer handling. The vulnerability is in header/trailer handling, where unlimited trailer headers can be processed and cause uncapped memory usage. An attacker can trigger memory exhaustion by sending an attacker-controlled request or response, resulting in reduced availability of the affected service. |
| aiohttp | 3.8.6 | <3.9.0 |
show Affected versions of `aiohttp` are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to unbounded decompression of highly compressed HTTP request bodies when the HTTP parser auto_decompress feature is enabled. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive warning-level logging when parsing invalid Cookie headers. When server code accesses aiohttp.web_request.Request.cookies, the aiohttp._cookie_helpers.parse_cookie_header() function validates cookie names and can emit a log entry for each illegal cookie name, enabling a single request to generate a large number of warning logs. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to improper enforcement of request size limits during multipart form parsing. The aiohttp aiohttp.web_request.Request.post() method in aiohttp/web_request.py iterates over multipart fields but (prior to the fix) resets its running byte counter per part rather than tracking the total size of the entire multipart form, allowing the aggregate payload to grow without being bounded by client_max_size. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Information Disclosure due to static-file path normalisation enabling inference of absolute path component existence. In aiohttp, applications that register a static route via aiohttp.web.static() may expose filesystem path information because the static handler’s normalization and response behaviour lets a requester distinguish which absolute path components exist. |
| aiohttp | 3.8.6 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
| aiohttp | 3.8.6 | >=2.0.0rc1,<3.9.0 , >=4.0.0a0,<=4.0.0a1 |
show Affected versions of the `aiohttp` package are vulnerable to Improper Input Validation due to insufficient checks on the HTTP version of incoming requests. The vulnerability arises because the HTTP request handling mechanism does not adequately validate the HTTP version, allowing manipulation if controlled by an attacker. An attacker with the ability to influence the HTTP version can exploit this flaw to inject new headers or craft entirely new HTTP requests, potentially leading to unauthorized actions or data exposure. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive blocking CPU usage when processing a large number of HTTP chunked messages. When an aiohttp server endpoint calls request.read(), the chunked body handling performs costly per-chunk processing that can consume a moderate amount of blocking CPU time (for example, around one second) when the request contains an unusually large number of chunks. |
| aiohttp | 3.8.6 | >=2.0.0rc1,<3.10.11 |
show Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks. |
| aiohttp | 3.8.6 | >=1.0.0,<3.9.4 , >=4.0.0a0,<=4.0.0a1 |
show Affected versions of the `aiohttp` package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user input on index pages for static file handling. The vulnerability exists because the `show_index` option, when enabled, allows unsanitized user input to be rendered directly into the HTML content of directory listings. An attacker can exploit this vulnerability by crafting a malicious URL that, when accessed, executes arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking or data theft. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to relying on Python assert statements for malformed request handling, which are removed when interpreter optimizations are enabled. The aiohttp.web_request.Request.post() method can trigger an infinite loop in multipart POST body processing because assertions in multipart parsing paths, such as aiohttp.multipart.BodyPartReader.read_chunk() and _read_chunk_from_stream() are bypassed, preventing the code from enforcing an exit condition on invalid EOF and boundary states. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to Unicode digit matching in the Range header parser. In aiohttp.web_request.BaseRequest.http_range, the Range header is parsed with the regular expression ^bytes=(\d*)-(\d*)$ via re.findall(...) without restricting \d to ASCII, which allows non-ASCII decimal characters to be accepted as valid byte-range values. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to inconsistent Unicode processing of non-ASCII HTTP header values. In the pure-Python HTTP parser (used when the C extensions are not installed or when AIOHTTP_NO_EXTENSIONS is enabled), aiohttp.http_parser.parse_headers() and helpers such as _is_supported_upgrade() and HttpParser._is_chunked_te() apply .lower() to Upgrade, Transfer-Encoding, and Content-Encoding values without first enforcing ASCII-only input, allowing certain non-ASCII characters to be transformed during case-folding and creating parsing discrepancies. |
| aiohttp | 3.8.6 | <3.12.14 |
show AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. |
master
2 years, 4 months ago
Update exceptiongroup from 1.1.3 to 1.2.0 (#529)
aiohttp 3.8.6 has known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| aiohttp | 3.8.6 | >=1.1.0,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
| aiohttp | 3.8.6 | >=0.21.0,<3.9.4 |
show Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions. |
| aiohttp | 3.8.6 | <3.13.4 |
show Affected versions of the aiohttp package are vulnerable to HTTP Request Smuggling due to the acceptance of duplicate Host headers in incoming HTTP requests. The C extension HTTP parser failed to reject duplicate singleton headers such as Host, Content-Type, and Content-Length, creating parser differentials between the C and pure-Python implementations that could lead to inconsistent request interpretation. An attacker could send a crafted HTTP request containing multiple Host headers to bypass host-based access controls or poison routing decisions in upstream proxies and intermediaries. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to the default C parser (llhttp) accepting null bytes and control characters in response header values. Specifically, the parser fails to neutralise CRLF sequences and other control characters before including them in outgoing HTTP headers, which means methods such as request.url.origin() may return values that differ from the raw Host header or from what a reverse proxy interpreted. An attacker can craft malicious response headers containing embedded control characters to trigger inconsistent header interpretation, potentially leading to a Security Bypass. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to improper neutralisation of carriage return characters in the reason phrase of HTTP responses. The Response class does not sanitise the reason parameter, allowing injection of CRLF sequences that can manipulate outgoing HTTP headers. An attacker who controls the reason parameter can inject arbitrary headers into the HTTP response, potentially enabling cache poisoning or response manipulation. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects. When following a redirect to a different origin, the library correctly strips the Authorization header but fails to remove the Cookie and Proxy-Authorization headers, allowing them to be forwarded to the unintended destination. An attacker controlling or observing the redirect target can capture these leaked credentials and session tokens, potentially gaining unauthorised access to user accounts or upstream proxies. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service due to late enforcement of the client_max_size limit on non-file multipart form fields. When an application uses Request.post() to parse multipart data, the entire field content is read into memory before the size check is applied, allowing oversized payloads to cause significant temporary memory allocation. An attacker can exploit this by sending specially crafted multipart requests to exhaust server memory and degrade service availability. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service due to insufficient size restrictions on multipart headers. Multipart headers were not subject to the same memory limits enforced for standard HTTP headers, allowing an attacker to send a response containing an excessive number of multipart headers that consume significantly more memory than intended. An attacker could exploit this by crafting a specially formed multipart response to exhaust server memory resources, potentially degrading or disrupting service availability. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Server-Side Request Forgery (SSRF) and Information Disclosure due to insufficient path validation in the static resource handler on Windows. The static file serving component fails to properly neutralise UNC path sequences, allowing crafted requests to trigger outbound connections to attacker-controlled SMB servers and leak NTLMv2 credential hashes. An attacker can exploit this by sending a specially crafted request that references a remote UNC path, exposing hashed user credentials and enabling the attacker to read local files on the host system. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to CRLF Injection due to insufficient sanitization of the content_type parameter during multipart request header construction. An attacker who controls the content_type value passed to a multipart part can embed carriage-return and line-feed characters, allowing arbitrary HTTP headers to be injected into the outgoing request. This can be exploited to manipulate request semantics and perform HTTP Request Splitting when untrusted data is used for the multipart content type. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to an unbounded DNS cache in TCPConnector that grows without limit. When an application issues requests to a large number of distinct hosts, the internal DNS resolution cache accumulates entries indefinitely because no maximum size or eviction policy is enforced. An attacker capable of triggering requests to many unique hostnames can cause steadily increasing memory consumption, ultimately degrading or exhausting available resources on the host system. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of aiohttp are vulnerable to Uncontrolled Resource Consumption due to insufficient restrictions in header and trailer handling. The vulnerability is in header/trailer handling, where unlimited trailer headers can be processed and cause uncapped memory usage. An attacker can trigger memory exhaustion by sending an attacker-controlled request or response, resulting in reduced availability of the affected service. |
| aiohttp | 3.8.6 | <3.9.0 |
show Affected versions of `aiohttp` are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to unbounded decompression of highly compressed HTTP request bodies when the HTTP parser auto_decompress feature is enabled. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive warning-level logging when parsing invalid Cookie headers. When server code accesses aiohttp.web_request.Request.cookies, the aiohttp._cookie_helpers.parse_cookie_header() function validates cookie names and can emit a log entry for each illegal cookie name, enabling a single request to generate a large number of warning logs. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to improper enforcement of request size limits during multipart form parsing. The aiohttp aiohttp.web_request.Request.post() method in aiohttp/web_request.py iterates over multipart fields but (prior to the fix) resets its running byte counter per part rather than tracking the total size of the entire multipart form, allowing the aggregate payload to grow without being bounded by client_max_size. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Information Disclosure due to static-file path normalisation enabling inference of absolute path component existence. In aiohttp, applications that register a static route via aiohttp.web.static() may expose filesystem path information because the static handler’s normalization and response behaviour lets a requester distinguish which absolute path components exist. |
| aiohttp | 3.8.6 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
| aiohttp | 3.8.6 | >=2.0.0rc1,<3.9.0 , >=4.0.0a0,<=4.0.0a1 |
show Affected versions of the `aiohttp` package are vulnerable to Improper Input Validation due to insufficient checks on the HTTP version of incoming requests. The vulnerability arises because the HTTP request handling mechanism does not adequately validate the HTTP version, allowing manipulation if controlled by an attacker. An attacker with the ability to influence the HTTP version can exploit this flaw to inject new headers or craft entirely new HTTP requests, potentially leading to unauthorized actions or data exposure. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive blocking CPU usage when processing a large number of HTTP chunked messages. When an aiohttp server endpoint calls request.read(), the chunked body handling performs costly per-chunk processing that can consume a moderate amount of blocking CPU time (for example, around one second) when the request contains an unusually large number of chunks. |
| aiohttp | 3.8.6 | >=2.0.0rc1,<3.10.11 |
show Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks. |
| aiohttp | 3.8.6 | >=1.0.0,<3.9.4 , >=4.0.0a0,<=4.0.0a1 |
show Affected versions of the `aiohttp` package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user input on index pages for static file handling. The vulnerability exists because the `show_index` option, when enabled, allows unsanitized user input to be rendered directly into the HTML content of directory listings. An attacker can exploit this vulnerability by crafting a malicious URL that, when accessed, executes arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking or data theft. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to relying on Python assert statements for malformed request handling, which are removed when interpreter optimizations are enabled. The aiohttp.web_request.Request.post() method can trigger an infinite loop in multipart POST body processing because assertions in multipart parsing paths, such as aiohttp.multipart.BodyPartReader.read_chunk() and _read_chunk_from_stream() are bypassed, preventing the code from enforcing an exit condition on invalid EOF and boundary states. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to Unicode digit matching in the Range header parser. In aiohttp.web_request.BaseRequest.http_range, the Range header is parsed with the regular expression ^bytes=(\d*)-(\d*)$ via re.findall(...) without restricting \d to ASCII, which allows non-ASCII decimal characters to be accepted as valid byte-range values. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to inconsistent Unicode processing of non-ASCII HTTP header values. In the pure-Python HTTP parser (used when the C extensions are not installed or when AIOHTTP_NO_EXTENSIONS is enabled), aiohttp.http_parser.parse_headers() and helpers such as _is_supported_upgrade() and HttpParser._is_chunked_te() apply .lower() to Upgrade, Transfer-Encoding, and Content-Encoding values without first enforcing ASCII-only input, allowing certain non-ASCII characters to be transformed during case-folding and creating parsing discrepancies. |
| aiohttp | 3.8.6 | <3.12.14 |
show AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. |
master
2 years, 4 months ago
Update cryptography from 41.0.5 to 41.0.7 (#540)
Co-authored-by: pyup-bot <github-bot@pyup.io>
aiohttp 3.8.6 has known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| aiohttp | 3.8.6 | >=1.1.0,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
| aiohttp | 3.8.6 | >=0.21.0,<3.9.4 |
show Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions. |
| aiohttp | 3.8.6 | <3.13.4 |
show Affected versions of the aiohttp package are vulnerable to HTTP Request Smuggling due to the acceptance of duplicate Host headers in incoming HTTP requests. The C extension HTTP parser failed to reject duplicate singleton headers such as Host, Content-Type, and Content-Length, creating parser differentials between the C and pure-Python implementations that could lead to inconsistent request interpretation. An attacker could send a crafted HTTP request containing multiple Host headers to bypass host-based access controls or poison routing decisions in upstream proxies and intermediaries. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to the default C parser (llhttp) accepting null bytes and control characters in response header values. Specifically, the parser fails to neutralise CRLF sequences and other control characters before including them in outgoing HTTP headers, which means methods such as request.url.origin() may return values that differ from the raw Host header or from what a reverse proxy interpreted. An attacker can craft malicious response headers containing embedded control characters to trigger inconsistent header interpretation, potentially leading to a Security Bypass. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to improper neutralisation of carriage return characters in the reason phrase of HTTP responses. The Response class does not sanitise the reason parameter, allowing injection of CRLF sequences that can manipulate outgoing HTTP headers. An attacker who controls the reason parameter can inject arbitrary headers into the HTTP response, potentially enabling cache poisoning or response manipulation. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects. When following a redirect to a different origin, the library correctly strips the Authorization header but fails to remove the Cookie and Proxy-Authorization headers, allowing them to be forwarded to the unintended destination. An attacker controlling or observing the redirect target can capture these leaked credentials and session tokens, potentially gaining unauthorised access to user accounts or upstream proxies. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service due to late enforcement of the client_max_size limit on non-file multipart form fields. When an application uses Request.post() to parse multipart data, the entire field content is read into memory before the size check is applied, allowing oversized payloads to cause significant temporary memory allocation. An attacker can exploit this by sending specially crafted multipart requests to exhaust server memory and degrade service availability. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service due to insufficient size restrictions on multipart headers. Multipart headers were not subject to the same memory limits enforced for standard HTTP headers, allowing an attacker to send a response containing an excessive number of multipart headers that consume significantly more memory than intended. An attacker could exploit this by crafting a specially formed multipart response to exhaust server memory resources, potentially degrading or disrupting service availability. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Server-Side Request Forgery (SSRF) and Information Disclosure due to insufficient path validation in the static resource handler on Windows. The static file serving component fails to properly neutralise UNC path sequences, allowing crafted requests to trigger outbound connections to attacker-controlled SMB servers and leak NTLMv2 credential hashes. An attacker can exploit this by sending a specially crafted request that references a remote UNC path, exposing hashed user credentials and enabling the attacker to read local files on the host system. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to CRLF Injection due to insufficient sanitization of the content_type parameter during multipart request header construction. An attacker who controls the content_type value passed to a multipart part can embed carriage-return and line-feed characters, allowing arbitrary HTTP headers to be injected into the outgoing request. This can be exploited to manipulate request semantics and perform HTTP Request Splitting when untrusted data is used for the multipart content type. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to an unbounded DNS cache in TCPConnector that grows without limit. When an application issues requests to a large number of distinct hosts, the internal DNS resolution cache accumulates entries indefinitely because no maximum size or eviction policy is enforced. An attacker capable of triggering requests to many unique hostnames can cause steadily increasing memory consumption, ultimately degrading or exhausting available resources on the host system. |
| aiohttp | 3.8.6 | <=3.13.3 |
show Affected versions of aiohttp are vulnerable to Uncontrolled Resource Consumption due to insufficient restrictions in header and trailer handling. The vulnerability is in header/trailer handling, where unlimited trailer headers can be processed and cause uncapped memory usage. An attacker can trigger memory exhaustion by sending an attacker-controlled request or response, resulting in reduced availability of the affected service. |
| aiohttp | 3.8.6 | <3.9.0 |
show Affected versions of `aiohttp` are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to unbounded decompression of highly compressed HTTP request bodies when the HTTP parser auto_decompress feature is enabled. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive warning-level logging when parsing invalid Cookie headers. When server code accesses aiohttp.web_request.Request.cookies, the aiohttp._cookie_helpers.parse_cookie_header() function validates cookie names and can emit a log entry for each illegal cookie name, enabling a single request to generate a large number of warning logs. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to improper enforcement of request size limits during multipart form parsing. The aiohttp aiohttp.web_request.Request.post() method in aiohttp/web_request.py iterates over multipart fields but (prior to the fix) resets its running byte counter per part rather than tracking the total size of the entire multipart form, allowing the aggregate payload to grow without being bounded by client_max_size. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Information Disclosure due to static-file path normalisation enabling inference of absolute path component existence. In aiohttp, applications that register a static route via aiohttp.web.static() may expose filesystem path information because the static handler’s normalization and response behaviour lets a requester distinguish which absolute path components exist. |
| aiohttp | 3.8.6 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
| aiohttp | 3.8.6 | >=2.0.0rc1,<3.9.0 , >=4.0.0a0,<=4.0.0a1 |
show Affected versions of the `aiohttp` package are vulnerable to Improper Input Validation due to insufficient checks on the HTTP version of incoming requests. The vulnerability arises because the HTTP request handling mechanism does not adequately validate the HTTP version, allowing manipulation if controlled by an attacker. An attacker with the ability to influence the HTTP version can exploit this flaw to inject new headers or craft entirely new HTTP requests, potentially leading to unauthorized actions or data exposure. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive blocking CPU usage when processing a large number of HTTP chunked messages. When an aiohttp server endpoint calls request.read(), the chunked body handling performs costly per-chunk processing that can consume a moderate amount of blocking CPU time (for example, around one second) when the request contains an unusually large number of chunks. |
| aiohttp | 3.8.6 | >=2.0.0rc1,<3.10.11 |
show Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks. |
| aiohttp | 3.8.6 | >=1.0.0,<3.9.4 , >=4.0.0a0,<=4.0.0a1 |
show Affected versions of the `aiohttp` package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user input on index pages for static file handling. The vulnerability exists because the `show_index` option, when enabled, allows unsanitized user input to be rendered directly into the HTML content of directory listings. An attacker can exploit this vulnerability by crafting a malicious URL that, when accessed, executes arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking or data theft. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to relying on Python assert statements for malformed request handling, which are removed when interpreter optimizations are enabled. The aiohttp.web_request.Request.post() method can trigger an infinite loop in multipart POST body processing because assertions in multipart parsing paths, such as aiohttp.multipart.BodyPartReader.read_chunk() and _read_chunk_from_stream() are bypassed, preventing the code from enforcing an exit condition on invalid EOF and boundary states. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to Unicode digit matching in the Range header parser. In aiohttp.web_request.BaseRequest.http_range, the Range header is parsed with the regular expression ^bytes=(\d*)-(\d*)$ via re.findall(...) without restricting \d to ASCII, which allows non-ASCII decimal characters to be accepted as valid byte-range values. |
| aiohttp | 3.8.6 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to inconsistent Unicode processing of non-ASCII HTTP header values. In the pure-Python HTTP parser (used when the C extensions are not installed or when AIOHTTP_NO_EXTENSIONS is enabled), aiohttp.http_parser.parse_headers() and helpers such as _is_supported_upgrade() and HttpParser._is_chunked_te() apply .lower() to Upgrade, Transfer-Encoding, and Content-Encoding values without first enforcing ASCII-only input, allowing certain non-ASCII characters to be transformed during case-folding and creating parsing discrepancies. |
| aiohttp | 3.8.6 | <3.12.14 |
show AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. |
Python 3 badge
URL
https://pyup.io/repos/github/vertexproject/vtx-base-image/python-3-shield.svg
Markdown
[](https://pyup.io/repos/github/vertexproject/vtx-base-image/)
Restructured Text
.. image:: https://pyup.io/repos/github/vertexproject/vtx-base-image/python-3-shield.svg
:target: https://pyup.io/repos/github/vertexproject/vtx-base-image/
:alt: Python 3
HTML
<a href="https://pyup.io/repos/github/vertexproject/vtx-base-image/"><img src="https://pyup.io/repos/github/vertexproject/vtx-base-image/shield.svg" alt="Python 3" /></a>
Textile
!https://pyup.io/repos/github/vertexproject/vtx-base-image/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/vertexproject/vtx-base-image/
RDoc
{<img src="https://pyup.io/repos/github/vertexproject/vtx-base-image/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/vertexproject/vtx-base-image/]
pyup.io badge
URL
https://pyup.io/repos/github/vertexproject/vtx-base-image/shield.svg
Markdown
[](https://pyup.io/repos/github/vertexproject/vtx-base-image/)
Restructured Text
.. image:: https://pyup.io/repos/github/vertexproject/vtx-base-image/shield.svg
:target: https://pyup.io/repos/github/vertexproject/vtx-base-image/
:alt: Updates
HTML
<a href="https://pyup.io/repos/github/vertexproject/vtx-base-image/"><img src="https://pyup.io/repos/github/vertexproject/vtx-base-image/shield.svg" alt="Updates" /></a>
Textile
!https://pyup.io/repos/github/vertexproject/vtx-base-image/shield.svg(Updates)!:https://pyup.io/repos/github/vertexproject/vtx-base-image/
RDoc
{<img src="https://pyup.io/repos/github/vertexproject/vtx-base-image/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/vertexproject/vtx-base-image/]