CVE-2024-52304

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71	Patch
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

Configurations

Configuration 1 (hide)

cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*

History

03 Nov 2025, 21:17

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html -

15 Aug 2025, 17:36

Type	Values Removed	Values Added
CPE		cpe:2.3:a:aiohttp:aiohttp::::::::
References	~~() https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71 -~~	() https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71 - Patch
References	~~() https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr -~~	() https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr - Vendor Advisory
First Time		Aiohttp aiohttp Aiohttp
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

21 Nov 2024, 14:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~0.0~~	v2 : unknown v3 : unknown

19 Nov 2024, 16:35

Type	Values Removed	Values Added
Summary		(es) aiohttp es un framework de trabajo de cliente/servidor HTTP asincrónico para asyncio y Python. Antes de la versión 3.10.11, el analizador de Python analiza incorrectamente las nuevas líneas en las extensiones de fragmentos, lo que puede provocar vulnerabilidades de contrabando de solicitudes en determinadas condiciones. Si se instala una versión Python pura de aiohttp (es decir, sin las extensiones C habituales) o se habilita `AIOHTTP_NO_EXTENSIONS`, un atacante puede ejecutar un ataque de contrabando de solicitudes para eludir determinados cortafuegos o protecciones de proxy. La versión 3.10.11 soluciona el problema.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 0.0

18 Nov 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-18 21:15

Updated : 2025-11-03 21:17

NVD link : CVE-2024-52304

Mitre link : CVE-2024-52304

CVE.ORG link : CVE-2024-52304

JSON object : View

Products Affected

aiohttp

aiohttp

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

7.5 /10