AIOHTTP Response Header Injection Vulnerability

A vulnerability in AIOHTTP, an asynchronous HTTP client/server framework for Python, allows for response header injection. This issue affects AIOHTTP versions through 3.13.3. The vulnerability arises when an attacker controls the 'reason' parameter while creating a response, potentially leading to the injection of extra headers or similar exploits. In applications that use untrusted data in the response's 'reason' parameter, this could result in sending unintended information.

Impact

Exploitation of this vulnerability could lead to HTTP response splitting, allowing attackers to manipulate response headers and potentially inject malicious content or disrupt the intended response flow.

Reproduction

The vulnerability can be reproduced by creating a response in AIOHTTP and injecting a 'reason' parameter that includes newline characters. This can be done by using the 'HTTPOk' class and passing a reason that contains 'Bad\r\nInjected-header: foo', which would inject a header into the response.

Remediation

Users can upgrade to AIOHTTP version 3.13.4 or later, where this vulnerability has been patched.