Описание
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
Summary
The parser allows non-ASCII decimals to be present in the Range header.
Impact
There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.
Patch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96
Пакеты
aiohttp
<= 3.13.2
3.13.3
Связанные уязвимости
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...