CVE-2023-47641

Aliases:GHSA-xx9p-xxvh-7g8jPYSEC-2023-247

Advisory lineage Upstream: 0 Downstream: 6

Downstream

DEBIAN-CVE-2023-47641 DLA-4041-1 OPENSUSE-SU-2024:13691-1 SUSE-SU-2023:4909-1 SUSE-SU-2024:0577-1 UBUNTU-CVE-2023-47641

Modified

Published: 14 Nov 2023, 20:44

Last modified:03 Nov 2025, 20:36

Vulnerability Summary

Overall Risk (default)

medium

36/100

CVSS Score

6.5 MEDIUM

v3.1 (nvd)

EPSS Score

0.36% LOW

0% probability +0.14%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

14 Nov 2023, 20:44

Published

Vulnerability first disclosed

03 Nov 2025, 20:36

Last Modified

Vulnerability information updated

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Metrics

v3.1•LOW•Score: 3.4CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 0.36%• Percentile: 58%

Techniques & Countermeasures

CWE-444•Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Affected Systems

aio-libs•aiohttp
< 3.8.0
aiohttp•aiohttp
< 3.8.0
PyPI•aiohttp
< f016f0680e4ace6742b03a70cb0382ce86abe371 | < 3.8.0