Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/aiohttp@4.0.0a0
Typepypi
Namespace
Nameaiohttp
Version4.0.0a0
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-ttq3-65ny-skdg
vulnerability_id VCID-ttq3-65ny-skdg
summary 
aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
### Impact

aiohttp v3.8.4 and earlier are [bundled with llhttp v6.0.6](https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules) which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.

This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`).

### Reproducer

```python
from aiohttp import web

async def example(request: web.Request):
    headers = dict(request.headers)
    body = await request.content.read()
    return web.Response(text=f"headers: {headers} body: {body}")

app = web.Application()
app.add_routes([web.post('/', example)])
web.run_app(app)
```

Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.

```console
$ printf "POST / HTTP/1.1\r\nHost: localhost:8080\r\nX-Abc: \rxTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\n0\r\n\r\n" \
  | nc localhost 8080

Expected output:
  headers: {'Host': 'localhost:8080', 'X-Abc': '\rxTransfer-Encoding: chunked'} body: b''

Actual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently)
  headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A'
```

### Patches

Upgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: [`pip install aiohttp >= 3.8.5`](https://pypi.org/project/aiohttp/3.8.5/)

### Workarounds

If you aren't able to upgrade you can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling:

```console
$ python -m pip uninstall --yes aiohttp
$ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp
```

### References

* https://nvd.nist.gov/vuln/detail/CVE-2023-30589
* https://hackerone.com/reports/2001873
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37276.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37276.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-37276
reference_id
reference_type
scores
0
value 0.05775
scoring_system epss
scoring_elements 0.9048
published_at 2026-04-09T12:55:00Z
1
value 0.05775
scoring_system epss
scoring_elements 0.90474
published_at 2026-04-08T12:55:00Z
2
value 0.05775
scoring_system epss
scoring_elements 0.90462
published_at 2026-04-07T12:55:00Z
3
value 0.05775
scoring_system epss
scoring_elements 0.90456
published_at 2026-04-04T12:55:00Z
4
value 0.05775
scoring_system epss
scoring_elements 0.90444
published_at 2026-04-02T12:55:00Z
5
value 0.05775
scoring_system epss
scoring_elements 0.90498
published_at 2026-04-18T12:55:00Z
6
value 0.05775
scoring_system epss
scoring_elements 0.90481
published_at 2026-04-13T12:55:00Z
7
value 0.05775
scoring_system epss
scoring_elements 0.90487
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-37276
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
4
reference_url https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-18T16:05:51Z/
url https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules
5
reference_url https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-18T16:05:51Z/
url https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40
6
reference_url https://github.com/aio-libs/aiohttp/commit/9c13a52c21c23dfdb49ed89418d28a5b116d0681
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/commit/9c13a52c21c23dfdb49ed89418d28a5b116d0681
7
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-18T16:05:51Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
8
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-120.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-120.yaml
9
reference_url https://hackerone.com/reports/2001873
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-18T16:05:51Z/
url https://hackerone.com/reports/2001873
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-37276
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-37276
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2224185
reference_id 2224185
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2224185
12
reference_url https://github.com/advisories/GHSA-45c4-8wx5-qw6w
reference_id GHSA-45c4-8wx5-qw6w
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-45c4-8wx5-qw6w
13
reference_url https://access.redhat.com/errata/RHSA-2024:1878
reference_id RHSA-2024:1878
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1878
fixed_packages
0
url pkg:pypi/aiohttp@3.8.5
purl pkg:pypi/aiohttp@3.8.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bcuu-jvzt-6fhn
1
vulnerability VCID-bhkk-2b7c-wfgr
2
vulnerability VCID-d3pa-kwgz-vuag
3
vulnerability VCID-ft9z-nd6x-27dz
4
vulnerability VCID-jxqg-x9dh-z3hb
5
vulnerability VCID-k122-7d38-2ug5
6
vulnerability VCID-peyu-fxyx-ayde
7
vulnerability VCID-pmr9-w1fc-93cm
8
vulnerability VCID-pqus-ew4j-k7da
9
vulnerability VCID-qrus-4szm-c3bj
10
vulnerability VCID-sjws-ddnq-fke2
11
vulnerability VCID-t9gx-etxx-vkgb
12
vulnerability VCID-tn28-662n-vug8
13
vulnerability VCID-ue33-na1g-rqa7
14
vulnerability VCID-vqvz-jfqh-jkaz
15
vulnerability VCID-zf8d-kxf1-sqds
16
vulnerability VCID-zm3a-mf2z-xfcm
17
vulnerability VCID-zrgm-47ph-x3g3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.8.5
1
url pkg:pypi/aiohttp@4.0.0a0
purl pkg:pypi/aiohttp@4.0.0a0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@4.0.0a0
aliases CVE-2023-37276, GHSA-45c4-8wx5-qw6w, PYSEC-2023-120
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ttq3-65ny-skdg
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@4.0.0a0