5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-47627

GHSA ID

GHSA-gfw2-4jvh-wgfg

EPSS Score

0.40288%

CWE

CWE-444

Published

11/14/2023

Updated

9/4/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-47627

CVE-2023-47627:
AIOHTTP has problems in HTTP parser (the python one, not llhttp)

Summary

The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel).

Details

Bug 1: Bad parsing of `Content-Length` values

Description

RFC 9110 says this:

Content-Length = 1*DIGIT

AIOHTTP does not enforce this rule, presumably because of an incorrect usage of the builtin int constructor. Because the int constructor accepts + and - prefixes, and digit-separating underscores, using int to parse CL values leads AIOHTTP to significant misinterpretation.

Examples

GET / HTTP/1.1\r\n
Content-Length: -0\r\n
\r\n
X

GET / HTTP/1.1\r\n
Content-Length: +0_1\r\n
\r\n
X

Suggested action

Verify that a Content-Length value consists only of ASCII digits before parsing, as the standard requires.

Bug 2: Improper handling of NUL, CR, and LF in header values

Description

RFC 9110 says this:

Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters; a recipient of CR, LF, or NUL within a field value MUST either reject the message or replace each of those characters with SP before further processing or forwarding of that message.

AIOHTTP's HTTP parser does not enforce this rule, and will happily process header values containing these three forbidden characters without replacing them with SP.

Examples

GET / HTTP/1.1\r\n
Header: v\x00alue\r\n
\r\n

GET / HTTP/1.1\r\n
Header: v\ralue\r\n
\r\n

GET / HTTP/1.1\r\n
Header: v\nalue\r\n
\r\n

Suggested action

Reject all messages with NUL, CR, or LF in a header value. The translation to space thing, while technically allowed, does not seem like a good idea to me.

Bug 3: Improper stripping of whitespace before colon in HTTP headers

Description

RFC 9112 says this:

No whitespace is allowed between the field name and colon. In the past, differences in the handling of such whitespace have led to security vulnerabilities in request routing and response handling. A server MUST reject, with a response status code of 400 (Bad Request), any received request message that contains whitespace between a header field name and colon.

AIOHTTP does not enforce this rule, and will simply strip any whitespace before the colon in an HTTP header.

Example

GET / HTTP/1.1\r\n
Content-Length : 1\r\n
\r\n
X

Suggested action

Reject all messages with whitespace before a colon in a header field, as the standard requires.

PoC

Example requests are embedded in the previous section. To reproduce these bugs, start an AIOHTTP server without llhttp (i.e. AIOHTTP_NO_EXTENSIONS=1) and send the requests given in the previous section. (e.g. by printfing into nc)

Impact

Each of these bugs can be used for request smuggling.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-47627

GHSA ID

GHSA-gfw2-4jvh-wgfg

EPSS Score

0.40288%

CWE

CWE-444

Published

11/14/2023

Updated

9/4/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
aiohttp	pip	< 3.8.6	3.8.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows critical fixes in parse_headers() and its get_content_length helper:

Added isdigit() check for Content-Length values (CVE-2023-47627 Bug 1)
Added rejection of NUL/CR/LF in header values (Bug 2)
Added checks for whitespace before colons (Bug 3) These functions were directly modified in the security patch, confirming their role in the vulnerabilities. The Python HTTP parser (not llhttp) is explicitly called out in the vulnerability description as the affected component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# Summ*ry T** *TTP p*rs*r in *IO*TTP **s num*rous pro*l*ms wit* *****r p*rsin*, w*i** *oul* l*** to r*qu*st smu**lin*. T*is p*rs*r is only us** w**n `*IO*TTP_NO_*XT*NSIONS` is *n**l** (or not usin* * pr**uilt w***l). # **t*ils ## *u* *: *** p*rsin

Reasoning

T** *ommit *i** s*ows *riti**l *ix*s in p*rs*_*****rs() *n* its **t_*ont*nt_l*n*t* **lp*r: *. ***** is*i*it() ****k *or *ont*nt-L*n*t* v*lu*s (*V*-****-***** *u* *) *. ***** r*j**tion o* NUL/*R/L* in *****r v*lu*s (*u* *) *. ***** ****ks *or w*it*sp*

5.3

Basic Information

Concerned about an active attack path?

CVE-2023-47627: AIOHTTP has problems in HTTP parser (the python one, not llhttp)

Summary

Details

Bug 1: Bad parsing of Content-Length values

Description

Examples

Suggested action

Bug 2: Improper handling of NUL, CR, and LF in header values

Description

Examples

Suggested action

Bug 3: Improper stripping of whitespace before colon in HTTP headers

Description

Example

Suggested action

PoC

Impact

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-47627:
AIOHTTP has problems in HTTP parser (the python one, not llhttp)

Bug 1: Bad parsing of `Content-Length` values

Vulnerability Intelligence
Miggo AI