{"url":"http://public2.vulnerablecode.io/api/packages/79166?format=json","purl":"pkg:ebuild/dev-python/aiohttp@3.9.4","type":"ebuild","namespace":"dev-python","name":"aiohttp","version":"3.9.4","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19459?format=json","vulnerability_id":"VCID-bhkk-2b7c-wfgr","summary":"aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests\n### Summary\nAn attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.\n\n### Impact\nAn attacker can stop the application from serving requests after sending a single request.\n\n-------\n\nFor anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in `_read_chunk_from_length()`):\n\n```diff\ndiff --git a/aiohttp/multipart.py b/aiohttp/multipart.py\nindex 227be605c..71fc2654a 100644\n--- a/aiohttp/multipart.py\n+++ b/aiohttp/multipart.py\n@@ -338,6 +338,8 @@ class BodyPartReader:\n         assert self._length is not None, \"Content-Length required for chunked read\"\n         chunk_size = min(size, self._length - self._read_bytes)\n         chunk = await self._content.read(chunk_size)\n+        if self._content.at_eof():\n+            self._at_eof = True\n         return chunk\n \n     async def _read_chunk_from_stream(self, size: int) -> bytes:\n```\n\nThis does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:\nhttps://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19\nhttps://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597\nhttps://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30251.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30251.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-30251","reference_id":"","reference_type":"","scores":[{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.56062","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.56005","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.55982","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.56032","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.5597","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.56051","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.55978","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.55998","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.55922","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.55973","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58097","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58159","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58128","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58147","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58171","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58155","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58101","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58123","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58151","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-30251"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-30251","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-30251"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/aio-libs/aiohttp","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aio-libs/aiohttp"},{"reference_url":"https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/"}],"url":"https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597"},{"reference_url":"https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/"}],"url":"https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19"},{"reference_url":"https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/"}],"url":"https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866"},{"reference_url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/"}],"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-30251","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-30251"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/05/02/4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/05/02/4"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070364","reference_id":"1070364","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070364"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2278710","reference_id":"2278710","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2278710"},{"reference_url":"https://github.com/advisories/GHSA-5m98-qgg9-wh84","reference_id":"GHSA-5m98-qgg9-wh84","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5m98-qgg9-wh84"},{"reference_url":"https://security.gentoo.org/glsa/202408-11","reference_id":"GLSA-202408-11","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202408-11"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3781","reference_id":"RHSA-2024:3781","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3781"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1335","reference_id":"RHSA-2025:1335","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1335"},{"reference_url":"https://usn.ubuntu.com/7642-1/","reference_id":"USN-7642-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7642-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79166?format=json","purl":"pkg:ebuild/dev-python/aiohttp@3.9.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/dev-python/aiohttp@3.9.4"}],"aliases":["CVE-2024-30251","GHSA-5m98-qgg9-wh84"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bhkk-2b7c-wfgr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11475?format=json","vulnerability_id":"VCID-t2aj-cszz-tyd7","summary":"aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-47641.json","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-47641.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-47641","reference_id":"","reference_type":"","scores":[{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54953","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54919","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54943","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54961","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54924","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54947","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54908","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54965","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54934","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54904","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54954","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00358","scoring_system":"epss","scoring_elements":"0.58083","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00358","scoring_system":"epss","scoring_elements":"0.5793","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00358","scoring_system":"epss","scoring_elements":"0.58034","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00358","scoring_system":"epss","scoring_elements":"0.57984","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00358","scoring_system":"epss","scoring_elements":"0.58013","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00358","scoring_system":"epss","scoring_elements":"0.57972","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00358","scoring_system":"epss","scoring_elements":"0.57989","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-47641"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47641","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47641"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/aio-libs/aiohttp","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aio-libs/aiohttp"},{"reference_url":"https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T20:18:44Z/"}],"url":"https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371"},{"reference_url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.8.0","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.8.0"},{"reference_url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T20:18:44Z/"}],"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-247.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-247.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2250179","reference_id":"2250179","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2250179"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47641","reference_id":"CVE-2023-47641","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47641"},{"reference_url":"https://github.com/advisories/GHSA-xx9p-xxvh-7g8j","reference_id":"GHSA-xx9p-xxvh-7g8j","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xx9p-xxvh-7g8j"},{"reference_url":"https://security.gentoo.org/glsa/202408-11","reference_id":"GLSA-202408-11","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202408-11"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79166?format=json","purl":"pkg:ebuild/dev-python/aiohttp@3.9.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/dev-python/aiohttp@3.9.4"}],"aliases":["CVE-2023-47641","GHSA-xx9p-xxvh-7g8j","PYSEC-2023-247"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t2aj-cszz-tyd7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11527?format=json","vulnerability_id":"VCID-ue33-na1g-rqa7","summary":"aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49082.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49082.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49082","reference_id":"","reference_type":"","scores":[{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44791","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44481","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44596","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44675","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44668","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44749","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.4482","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44826","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44773","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44772","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44802","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44786","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44783","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.4473","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.4477","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44603","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44532","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44503","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44566","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.44551","published_at":"2026-05-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49082"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49082","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49082"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b"},{"reference_url":"https://github.com/aio-libs/aiohttp","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aio-libs/aiohttp"},{"reference_url":"https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466"},{"reference_url":"https://github.com/aio-libs/aiohttp/pull/7806/files","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aio-libs/aiohttp/pull/7806/files"},{"reference_url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-251.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-251.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057164","reference_id":"1057164","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057164"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2252248","reference_id":"2252248","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2252248"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49082","reference_id":"CVE-2023-49082","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49082"},{"reference_url":"https://github.com/advisories/GHSA-qvrw-v9rv-5rjx","reference_id":"GHSA-qvrw-v9rv-5rjx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qvrw-v9rv-5rjx"},{"reference_url":"https://security.gentoo.org/glsa/202408-11","reference_id":"GLSA-202408-11","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202408-11"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1057","reference_id":"RHSA-2024:1057","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1057"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1878","reference_id":"RHSA-2024:1878","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1878"},{"reference_url":"https://usn.ubuntu.com/7642-1/","reference_id":"USN-7642-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7642-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79166?format=json","purl":"pkg:ebuild/dev-python/aiohttp@3.9.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/dev-python/aiohttp@3.9.4"}],"aliases":["CVE-2023-49082","GHSA-qvrw-v9rv-5rjx","PYSEC-2023-251"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ue33-na1g-rqa7"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/dev-python/aiohttp@3.9.4"}