aiohttp allows request smuggling due to incorrect parsing of chunk extensions
The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS
is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.
Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71