AIOHTTP Cross-Origin Redirect Cookie Handling Vulnerability

A vulnerability exists in AIOHTTP versions prior to 3.14.0, where cookies set with the 'cookies' parameter on requests are sent after following a cross-origin redirect. This behavior can lead to the unintentional leakage of sensitive data if an attacker is able to control the redirect. The issue has been patched in version 3.14.0. For users unable to upgrade, a workaround is to use a 'Cookie' header in the 'headers' parameter, which is not vulnerable.

Impact

Exploitation of this vulnerability could result in the unauthorized disclosure of sensitive data through cross-origin redirects.

Reproduction

The vulnerability can be reproduced by sending a request with the 'cookies' parameter set. If the request is then redirected to a different origin, the cookies will be sent along with the request, potentially leaking sensitive information to the attacker controlling the redirect.

Remediation

Users should upgrade to AIOHTTP version 3.14.0 or later. If an upgrade is not possible, use a 'Cookie' header in the 'headers' parameter instead of the 'cookies' parameter.