AIOHTTP C Parser Header Injection Vulnerability

A vulnerability exists in the AIOHTTP C parser (the default for most installations) in versions through 3.13.3. The parser improperly accepts null bytes and control characters in response header values. This flaw can lead to header injection, where an attacker manipulates header values to be interpreted differently than intended. For instance, the `request.url.origin()` method may return a value that does not accurately reflect the raw Host header or how a reverse proxy interpreted it, potentially causing a security bypass.

Impact

Exploitation of this vulnerability could result in header injection, allowing for manipulation of header values in a way that could bypass security measures or cause unexpected behavior in the application.

Reproduction

To reproduce this vulnerability, send a response header value that includes null bytes or control characters. The AIOHTTP C parser will accept these characters, leading to a misinterpretation of the header value. This can be done by configuring a server to use the vulnerable AIOHTTP version and sending a request that includes the malicious header value.

Remediation

Users can upgrade to AIOHTTP version 3.13.4 or later, where this vulnerability has been patched.