fix: (upgrade) aiohttp allows request smuggling due to incorrect parsing of chunk extensions

[lamcodeofpwnosec]

What changed? Why?

The parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

from aiohttp import web

async def handle(request):
    return web.Response(text="Hello, world")

app = web.Application()
app.add_routes([web.get('/', handle)])

if __name__ == '__main__':
    web.run_app(app)

def test_partial_url(parser: Any) -> None:
                            # Verify no LF in the chunk-extension
                            if b"\n" in (ext := chunk[i:pos]):
                                exc = BadHttpMessage(
                                    f"Unexpected LF in chunk-extension: {ext!r}"
                                )
                                set_exception(self.payload, exc)
                                raise exc

In specific setups, if the pure Python parser is in use, an attacker could craft a malicious HTTP request containing newlines within the chunk extension headers. This request could then be processed incorrectly, enabling a request smuggling attack.

Mitigation

To secure your systems, it is strongly recommended to update aiohttp to version 3.10.11 or later. You can find more details on the update in the following commit link.

CVE-2024-52304
WeaknessCWE-444

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1