QwikSec

Security Database

CVE

CWE

Training

CVE-2023-49082

Published: Nov 29, 2023

Modified: Nov 4, 2025

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

Vendor	Product	Versions
aio-libs	aiohttp	affected `< 3.9.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx

x_refsource_CONFIRM

https://github.com/aio-libs/aiohttp/pull/7806/files

x_refsource_MISC

https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466

x_refsource_MISC

https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.