AIOHTTP Chunked Message Processing Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in AIOHTTP, an asynchronous HTTP client/server framework for Python. This issue affects AIOHTTP versions through 3.13.2. The vulnerability arises in the handling of chunked messages, which can lead to excessive blocking CPU usage when a large number of chunks are received. If an application uses the request.read() method in an endpoint, an attacker could exploit this behavior to cause the server to spend a significant amount of time processing the request, potentially leading to a denial-of-service condition as the server becomes unable to handle other requests.

Impact

Exploitation of this vulnerability can cause moderate blocking CPU usage on the server, approximately 1 second per request. This blocking can disrupt the server's ability to process other incoming requests, leading to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a chunked HTTP request to a server running AIOHTTP version through 3.13.2. Ensure that the request is processed by an endpoint that uses the request.read() method. The server will then experience increased CPU usage, blocking other requests for about 1 second.

Remediation

Users can upgrade to AIOHTTP version 3.13.3 or later to address this vulnerability.