aiohttp's ClientSession is vulnerable to CRLF injection via method
Summary
| CVE | CVE-2023-49082 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-11-29 20:15:08 UTC |
| Updated | 2026-06-23 18:17:35 UTC |
| Description | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0. |
Risk And Classification
Primary CVSS: v3.1 5.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS: 0.009400000 probability, percentile 0.564540000 (date 2026-06-28)
Problem Types: CWE-20 | CWE-93 | CWE-93 CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') | CWE-20 CWE-20: Improper Input Validation
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | [email protected] | Secondary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | CNA | DECLARED | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx | af854a3a-2127-422b-91ae-364da2661108 | github.com | Exploit, Vendor Advisory |
| Add HTTP method validation (#6533) (#7806) · aio-libs/aiohttp@e4ae01c · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | |
| lists.fedoraproject.org/archives/list/[email protected]/messag... | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| Add HTTP method validation (#6533) by Dreamsorcerer · Pull Request #7806 · aio-libs/aiohttp · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | |
| gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b | af854a3a-2127-422b-91ae-364da2661108 | gist.github.com | Exploit, Third Party Advisory |
| lists.debian.org/debian-lts-announce/2025/02/msg00002.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | |
| :https://lists.fedoraproject.org/archives/list/[email protected]/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA/ | MITRE | lists.fedoraproject.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.