AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb

Summary A zip bomb can be used to execute a DoS against the aiohttp server. Impact An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory. ------ Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c91...

python-aiohttp: numerous issues in HTTP parser with header parsing

An HTTP request smuggling vulnerability was found in aiohttp. Numerous issues with HTTP parsing can allow an attacker to smuggle HTTP requests...

GHSA-8QPW-XQXJ-H4R2 aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators

Summary Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger...

GHSA-GFW2-4JVH-WGFG AIOHTTP has problems in HTTP parser (the python one, not llhttp)

Summary The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTPNOEXTENSIONS is enabled or not using a prebuilt wheel. Details Bug 1: Bad parsing of Content-Length values Description RFC 9110 says this:...