CVE & CISA-KEV Catalog

CVE-2023-47641

LOW
3.4
CVSS v3
NVD

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.

How to fix

Remediation Available
python-aiohttpDebian
Fixed in:3.7.4-1+deb11u1CVE-2023-47641
Fixed in:3.8.1-1CVE-2023-47641
Fixed in:3.8.1-1CVE-2023-47641
Fixed in:3.8.1-1CVE-2023-47641

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionRequired
ScopeChanged

Impact

ConfidentialityLow
IntegrityNone
AvailabilityNone

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Exploit Intelligence

0.83%probability of exploitation in 30 days
53rdpercentile

Moderate risk: more likely to be exploited than 53% of all known CVEs.

References

Related Vulnerabilities

Other CWE-444 vulnerabilities, ordered by exploit likelihood. View all

CVESeverityCVSSEPSSExploitedFix
CVE-2022-22536Critical10.098%KEV-
CVE-2025-61884High7.598%KEV + Ransom-
CVE-2020-9490High7.590%-Fix
CVE-2023-41265Critical9.685%KEV + Ransom-
CVE-2023-25690Critical9.884%-Fix
CVE-2022-32214Medium6.578%-Fix
Embed a live status badge for CVE-2023-47641
CVE-2023-47641 severity badge

Markdown

[![CVE-2023-47641](https://tridentstack.com/cve/badge/CVE-2023-47641.svg)](https://tridentstack.com/cve/CVE-2023-47641)

HTML

<a href="https://tridentstack.com/cve/CVE-2023-47641"><img src="https://tridentstack.com/cve/badge/CVE-2023-47641.svg" alt="CVE-2023-47641"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-11-03.