CVE-2024-52304: 
Wolfi vulnerability analysis and mitigation

aiohttp, an asynchronous HTTP client/server framework for asyncio and Python, was found to contain a vulnerability (CVE-2024-52304) prior to version 3.10.11. The vulnerability stems from the Python parser incorrectly parsing newlines in chunk extensions, which could potentially lead to request smuggling vulnerabilities under specific conditions (GitHub Advisory).

The vulnerability exists in the Python parser's handling of chunk extensions. When a pure Python version of aiohttp is installed (without the usual C extensions) or when AIOHTTPNOEXTENSIONS is enabled, the parser incorrectly processes newlines in chunk extensions. This issue has been assigned a CVSS v4.0 score of 6.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests) (NVD).

The vulnerability could allow an attacker to execute request smuggling attacks, potentially bypassing certain firewalls or proxy protections. This is particularly concerning in environments where the pure Python implementation is used or when AIOHTTPNOEXTENSIONS is enabled (GitHub Advisory).

The vulnerability has been fixed in aiohttp version 3.10.11. Users are advised to upgrade to this version or later to address the security issue. The fix involves correcting the parsing of chunk extensions in the Python parser (GitHub Advisory).