aiohttp has vulnerable dependency that is vulnerable to request smuggling

Summary

llhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities. Details have not been disclosed yet, so refer to llhttp for future information. The issue is resolved by using llhttp 9+ (which is included in aiohttp 3.8.6+).

Published: Nov 27, 2023
Updated: Nov 28, 2023
GHSA: GHSA-pjjw-qhg8-p2p9
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-444

Affected Software
References

Software	From	Fixed in
aiohttp	-	3.8.6

https://github.com/aio-libs/aiohttp/commit/996de2629ef6b4c2934a7c04dfd49d0950d4c43b
https://github.com/aio-libs/aiohttp/commit/bcc416e533796d04fb8124ef1e7686b1f338767a
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9

Vulnerability Database

aiohttp has vulnerable dependency that is vulnerable to request smuggling

Summary