CVE-2024-52304: aiohttp allows request smuggling due to incorrect parsing of chunk extensions

November 18, 2024 (updated November 19, 2024)

The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

References

github.com/advisories/GHSA-8495-4g3g-x7pr
github.com/aio-libs/aiohttp
github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71
github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr
nvd.nist.gov/vuln/detail/CVE-2024-52304

Detect and mitigate CVE-2024-52304 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →