aiohttp CookieJar Arbitrary Code Execution Vulnerability

A vulnerability in the aiohttp library's CookieJar component, present in versions prior to 3.14.0, allows for arbitrary code execution when the CookieJar.load() method is used with untrusted input. Although this issue is unlikely to impact many applications, as most will use this function with the user's own data, it poses a risk if an application loads files controlled by an attacker without proper sanitization.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution through the deserialization of malicious pickle payloads, as acknowledged by the aiohttp maintainers.

Reproduction

The vulnerability can be reproduced by using the CookieJar.load() method to load a pickle file that contains a crafted payload. This payload can be designed to execute arbitrary code when the pickle file is deserialized, bypassing the restrictions of the unpickler.

Remediation

Users can update to aiohttp version 3.14.0 or later, where this vulnerability has been patched. For applications that cannot be immediately updated, a workaround is to sanitize files before loading them into the CookieJar.