CVE-2023-49082

5.3 MEDIUM
Published: November 29, 2023 Modified: November 04, 2025
View on NVD

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
Source: security-advisories@github.com
Exploit Third Party Advisory
https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466
Source: security-advisories@github.com
https://github.com/aio-libs/aiohttp/pull/7806/files
Source: security-advisories@github.com
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx
Source: security-advisories@github.com
Exploit Vendor Advisory
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Third Party Advisory
https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466
Source: af854a3a-2127-422b-91ae-364da2661108
https://github.com/aio-libs/aiohttp/pull/7806/files
Source: af854a3a-2127-422b-91ae-364da2661108
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
Source: af854a3a-2127-422b-91ae-364da2661108
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A/
Source: af854a3a-2127-422b-91ae-364da2661108

10 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.3 / 10.0
EPSS (Exploit Probability)
0.2%
47th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-20 CWE-93

Affected Vendors

aiohttp

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3