Skip to content

aiohttp has vulnerable dependency that is vulnerable to request smuggling

Moderate severity GitHub Reviewed Published Nov 25, 2023 in aio-libs/aiohttp • Updated Nov 27, 2023

Package

pip aiohttp (pip)

Affected versions

< 3.8.6

Patched versions

3.8.6

Description

Summary

llhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities.
Details have not been disclosed yet, so refer to llhttp for future information.
The issue is resolved by using llhttp 9+ (which is included in aiohttp 3.8.6+).

References

@Dreamsorcerer Dreamsorcerer published to aio-libs/aiohttp Nov 25, 2023
Published to the GitHub Advisory Database Nov 27, 2023
Reviewed Nov 27, 2023
Last updated Nov 27, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-pjjw-qhg8-p2p9

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.