AIOHTTP Request Smuggling Vulnerability Due to Non-ASCII Header Characters

A request smuggling vulnerability has been identified in AIOHTTP, an asynchronous HTTP client/server framework for Python. This issue affects versions 3.13.2 and earlier of the pure Python HTTP parser, particularly when the standard C extensions are not available or when AIOHTTP_NO_EXTENSIONS is enabled. The vulnerability arises from the parser's handling of non-ASCII characters in header values, which could be exploited to manipulate HTTP requests in a way that bypasses certain firewall or proxy protections.

Impact

Exploitation of this vulnerability could lead to a request smuggling attack, allowing an attacker to bypass specific firewall or proxy protections.

Reproduction

The vulnerability can be reproduced by sending an HTTP request that includes non-ASCII characters in the 'Transfer-Encoding' or 'Upgrade' headers. This can be done using a tool that allows for the manipulation of HTTP headers, such as a custom script or a web application testing tool. The request should be sent to a server that uses AIOHTTP version 3.13.2 or earlier, with the pure Python version of AIOHTTP installed or AIOHTTP_NO_EXTENSIONS enabled.

Remediation

Users can upgrade to AIOHTTP version 3.13.3 or later, where this vulnerability has been fixed.