CVE-2023-49081

Aliases:GHSA-q3qx-c6g2-7pw2PYSEC-2023-250

Advisory lineage Upstream: 0 Downstream: 12

Downstream

DEBIAN-CVE-2023-49081 DLA-4041-1 DSA-5828-1 OPENSUSE-SU-2024:13691-1 RHSA-2024:1057 RHSA-2024:1536

Modified

Published: 30 Nov 2023, 06:56

Last modified:04 Nov 2025, 18:19

Vulnerability Summary

Overall Risk (default)

medium

39/100

CVSS Score

7.2 HIGH

v3.1 (cve.org)

EPSS Score

0.47% LOW

0% probability -0.03%

KEV

Not listed

Ransomware

No reports

Public exploits

2 found

Dark Web

Not detected

Timeline

30 Nov 2023, 06:56

Published

Vulnerability first disclosed

04 Nov 2025, 18:19

Last Modified

Vulnerability information updated

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.

CVSS Metrics

v4.0•MEDIUM•Score: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
v3.1•HIGH•Score: 7.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Trends

Current EPSS score: 0.47%• Percentile: 65%

Techniques & Countermeasures

CWE-20•Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

aio-libs•aiohttp
< 3.9.0
aiohttp•aiohttp
< 3.9.0
PyPI•aiohttp
< 1e86b777e61cf4eefc7d92fa57fa19dcc676013b | < 3.9.0