CVE-2023-47627: 
Python vulnerability analysis and mitigation

The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This vulnerability (CVE-2023-47627) affects versions prior to 3.8.6 of the aiohttp package. The parser is only used when AIOHTTPNOEXTENSIONS is enabled or when not using a prebuilt wheel. The vulnerability was discovered and disclosed in November 2023 (NVD, GitHub Advisory).

The vulnerability stems from three main issues in header parsing: 1) Improper parsing of Content-Length values that accepts invalid prefixes and separators, 2) Failure to properly handle NUL, CR, and LF characters in header values as required by RFC 9110, and 3) Incorrect handling of whitespace before colons in HTTP headers, violating RFC 9112 requirements. The vulnerability has a CVSS v3.1 base score of 7.5 HIGH according to NVD, while GitHub rates it as 5.3 MEDIUM (GitHub Advisory).

The vulnerability can be exploited for HTTP request smuggling attacks. Each of the three identified parsing issues can potentially be used to craft malicious requests that could lead to request smuggling, potentially allowing attackers to bypass security controls or inject malicious requests (GitHub Advisory).

The vulnerability has been fixed in aiohttp version 3.8.6. Users are advised to upgrade to this version or later. The fix includes updates to the Python parser to comply with RFCs 9110/9112 and upgrades llhttp to v9.1.3. There are no known workarounds for these issues other than upgrading (GitHub Advisory).