aiohttp allows request smuggling due to incorrect parsing of chunk extensions

GHSA-8495-4g3g-x7pr · CVE-2024-52304

Published Nov 18, 2024 · Modified Feb 4, 2026

Description

Summary

The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

References

WEB https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-52304
WEB https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71
PACKAGE https://github.com/aio-libs/aiohttp
WEB https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes