Update dependency aiohttp to v3.14.0 [SECURITY]#701
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
added
dependencies
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #701 +/- ##
=======================================
Coverage 94.39% 94.39%
=======================================
Files 9 9
Lines 874 874
Branches 121 121
=======================================
Hits 825 825
Misses 22 22
Partials 27 27 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
e089b6c to
f67babe
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
f67babe to
95fec08
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
95fec08 to
48a285c
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
48a285c to
750eec7
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
2 times, most recently
from
750eec7 to
515b70c
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
7508f37 to
515b70c
Compare
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
2 times, most recently
from
7508f37 to
d222dbf
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
2 times, most recently
from
d222dbf to
a4e6fc7
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.12.13→3.14.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
CVE-2025-53643 / GHSA-9548-qrrj-x5pj
More information
Details
Summary
The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.
Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.
Patch: aio-libs/aiohttp@e8d774f
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
CVE-2025-69223 / GHSA-6mq8-rvhq-8wgg
More information
Details
Summary
A zip bomb can be used to execute a DoS against the aiohttp server.
Impact
An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.
Patch: aio-libs/aiohttp@2b920c3
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP's unicode processing of header values could cause parsing discrepancies
CVE-2025-69224 / GHSA-69f9-5gxw-wvc2
More information
Details
Summary
The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.
Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.
Patch: aio-libs/aiohttp@32677f2
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP vulnerable to brute-force leak of internal static file path components
CVE-2025-69226 / GHSA-54jq-c3m8-4m76
More information
Details
Summary
Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the
existence of absolute path components.
Impact
If an application uses
web.static()(not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.Patch: aio-libs/aiohttp@f2a86fd
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
CVE-2025-69225 / GHSA-mqqc-3gqh-h2x8
More information
Details
Summary
The parser allows non-ASCII decimals to be present in the Range header.
Impact
There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.
Patch: aio-libs/aiohttp@c7b7a04
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP vulnerable to DoS when bypassing asserts
CVE-2025-69227 / GHSA-jj3x-wxrx-4x23
More information
Details
Summary
When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.
Impact
If optimisations are enabled (
-OorPYTHONOPTIMIZE=1), and the application includes a handler that uses theRequest.post()method, then an attacker may be able to execute a DoS attack with a specially crafted message.Patch: aio-libs/aiohttp@bc1319e
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP vulnerable to denial of service through large payloads
CVE-2025-69228 / GHSA-6jhg-hg63-jvvf
More information
Details
Summary
A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.
Impact
If an application includes a handler that uses the
Request.post()method, an attacker may be able to freeze the server by exhausting the memory.Patch: aio-libs/aiohttp@b7dbd35
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP vulnerable to DoS through chunked messages
CVE-2025-69229 / GHSA-g84x-mcqj-x9qq
More information
Details
Summary
Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.
Impact
If an application makes use of the
request.read()method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.Patch: aio-libs/aiohttp@dc3170b
Patch: aio-libs/aiohttp@4ed97a4
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP Vulnerable to Cookie Parser Warning Storm
CVE-2025-69230 / GHSA-fh55-r93g-j68g
More information
Details
Summary
Reading multiple invalid cookies can lead to a logging storm.
Impact
If the
cookiesattribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.Patch: aio-libs/aiohttp@64629a0
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
CVE-2026-22815 / GHSA-w2fm-2cpv-w7v5
More information
Details
Summary
Insufficient restrictions in header/trailer handling could cause uncapped memory usage.
Impact
An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.
Patch: aio-libs/aiohttp@0c2e9da
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
CVE-2026-34513 / GHSA-hcc4-c3v8-rx92
More information
Details
Summary
An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.
Impact
If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.
Patch: aio-libs/aiohttp@c4d77c3
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has CRLF injection through multipart part content type header construction
CVE-2026-34514 / GHSA-2vrm-gr82-f7m5
More information
Details
Summary
An attacker who controls the
content_typeparameter in aiohttp could use this to inject extra headers or similar exploits.Impact
If an application allows untrusted data to be used for the multipart
content_typeparameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.Patch: aio-libs/aiohttp@9a6ada9
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
CVE-2026-34515 / GHSA-p998-jp59-783m
More information
Details
Summary
On Windows the static resource handler may expose information about a NTLMv2 remote path.
Impact
If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.
Patch: aio-libs/aiohttp@0ae2aa0
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has a Multipart Header Size Bypass
CVE-2026-34516 / GHSA-m5qp-6w8w-w647
More information
Details
Summary
A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.
Impact
Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.
Patch: aio-libs/aiohttp@8a74257
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
CVE-2026-34517 / GHSA-3wq7-rqq7-wx6j
More information
Details
Summary
For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.
Impact
If an application uses
Request.post()an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.Patch: aio-libs/aiohttp@cbb774f
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
CVE-2026-34518 / GHSA-966j-vmvw-g2g9
More information
Details
Summary
When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.
Impact
The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.
Patch: aio-libs/aiohttp@5351c98
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has HTTP response splitting via \r in reason phrase
CVE-2026-34519 / GHSA-mwh4-6h8g-pg8w
More information
Details
Summary
An attacker who controls the
reasonparameter when creating aResponsemay be able to inject extra headers or similar exploits.Impact
In the unlikely situation that an application allows untrusted data to be used in the response's
reasonparameter, then an attacker could manipulate the response to send something different from what the developer intended.Patch: aio-libs/aiohttp@53b35a2
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
CVE-2026-34520 / GHSA-63hf-3vf5-4wqf
More information
Details
Summary
The C parser (the default for most installs) accepted null bytes and control characters is response headers.
Impact
An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example,
request.url.origin()may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.Patch: aio-libs/aiohttp@9370b97
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP accepts duplicate Host headers
CVE-2026-34525 / GHSA-c427-h43c-vf67
More information
Details
Summary
Multiple Host headers were allowed in aiohttp.
Impact
Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using
Application.add_domain().Patch: aio-libs/aiohttp@e00ca3c
Patch: aio-libs/aiohttp@53e2e6f
Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
CVE-2026-34993 / GHSA-jg22-mg44-37j8
More information
Details
Summary
Using
CookieJar.load()with untrusted input may allow arbitrary code execution.Impact
Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.
Workaround
If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading.
Patch: aio-libs/aiohttp@dcf40f3
Severity
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
CVE-2026-47265 / GHSA-hg6j-4rv6-33pg
More information
Details
Summary
Cookies set with the
cookiesparameter on requests are sent after following a cross-origin redirect.Impact
If a developer uses the
cookiesparameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect.Workaround
If unable to upgrade, using a
Cookieheader in theheadersparameter is not vulnerable.Patch: aio-libs/aiohttp@f54c408
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
aio-libs/aiohttp (aiohttp)
v3.14.0: 3.14.0Compare Source
We have a new website! https://aio-libs.org
Subscribe to the news feed to find out more about what we're working on in future.
Features
Added
RequestKeyandResponseKeyclasses,which enable static type checking for request & response
context storages in the same way that
AppKeydoes forApplication-- by :user:
gsoldatov.Related issues and pull requests on GitHub:
#11766.
Added :func:
~aiohttp.encode_basic_authfor encoding HTTP BasicAuthentication credentials. Replaces the now-deprecated
:class:
~aiohttp.BasicAuth-- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12499.
Started accepting :term:
asynchronous context managers <asynchronous context manager>for cleanup contexts.Legacy single-yield :term:
asynchronous generatorcleanup contexts continue to besupported; async context managers are adapted internally so they are
entered at startup and exited during cleanup.
-- by :user:
MannXo.Related issues and pull requests on GitHub:
#11681.
Added :py:attr:
~aiohttp.CookieJar.cookiesand :py:attr:~aiohttp.CookieJar.host_only_cookiesread-only properties to :py:class:~aiohttp.CookieJarexposing the stored cookies with their full attributes -- by :user:Br1an67.Related issues and pull requests on GitHub:
#3951.
Added :py:attr:
~aiohttp.web.TCPSite.portaccessor for dynamic port allocations in :class:~aiohttp.web.TCPSite-- by :user:twhittock-disguiseand :user:rodrigobnogueira.Related issues and pull requests on GitHub:
#10665.
Added
decode_textparameter to :meth:~aiohttp.ClientSession.ws_connectand :class:~aiohttp.web.WebSocketResponseto receive WebSocket TEXT messages as raw bytes instead of decoded strings, enabling direct use with high-performance JSON parsers likeorjson-- by :user:bdraco.Related issues and pull requests on GitHub:
#11763, #11764.
Large overhaul of parser/decompression code.
The zip bomb security fix in 3.13 stopped highly compressed payloads
from being decompressed, regardless of validity. Now aiohttp will
decompress such payloads in chunks of 256+ KiB, allowing safe decompression
of such payloads.
-- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#11966.
Added explicit APIs for bytes-returning JSON serializer:
JSONBytesEncodertype,JsonBytesPayload,:func:
~aiohttp.web.json_bytes_response,:meth:
~aiohttp.web.WebSocketResponse.send_json_bytesand:meth:
~aiohttp.ClientWebSocketResponse.send_json_bytesmethods, andjson_serialize_bytesparameter for :class:~aiohttp.ClientSession-- by :user:
kevinpark1217.Related issues and pull requests on GitHub:
#11989.
Added :attr:
~aiohttp.ClientResponse.output_sizeand:attr:
~aiohttp.ClientResponse.upload_complete-- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12452.
Bug fixes
Fixed
ZLibDecompressorsilently dropping data past the firstmember when decompressing concatenated gzip/deflate streams. Each subsequent
member is now handed to a fresh decompressor, matching the behaviour already
implemented for ZSTD multi-frame streams.
-- by :user:
Ashutosh-177Related issues and pull requests on GitHub:
#7157.
Improved the parser error message shown when TLS handshake bytes are received on an HTTP port -- by :user:
puneetdixit200.Related issues and pull requests on GitHub:
#10142.
Fixed the C parser failing to reject a response with a body when none was expected -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#10587.
Fixed http parser not rejecting HTTP/1.1 requests that do not have valid Host header.
-- by :user:
Cycloctane.Related issues and pull requests on GitHub:
#10600.
Fixed misleading TLS-in-TLS warning being emitted when sending HTTPS requests through an HTTP proxy. The warning now only fires when the proxy itself uses HTTPS, which is the only case where TLS-in-TLS actually applies -- by :user:
wavebyrd.Related issues and pull requests on GitHub:
#10683.
Fixed
AssertionErrorwhen the transport isNoneduring WebSocketpreparation or file response sending (e.g. when a client disconnects
immediately after connecting). A
ConnectionResetErroris now raisedinstead -- by :user:
agners.Related issues and pull requests on GitHub:
#11761.
Fixed ad-hoc cookies passed to individual requests not being sent when the session's cookie jar has
unsafe=Trueand the target URL uses an IP address, by copying theunsafesetting from the session's cookie jar to the temporary cookie jar -- by :user:Krishnachaitanyakc.Related issues and pull requests on GitHub:
#12011.
Reset the WebSocket heartbeat timer on inbound data to avoid false ping/pong timeouts while receiving large frames
-- by :user:
hoffmang9.Related issues and pull requests on GitHub:
#12030.
Switched :py:meth:
~aiohttp.CookieJar.saveto use JSON format and:py:meth:
~aiohttp.CookieJar.loadto try JSON first with a fallback toa restricted pickle unpickler -- by :user:
YuvalElbar6.Related issues and pull requests on GitHub:
#12091.
Fixed redirects with consumed non-rewindable request bodies to raise
:class:
aiohttp.ClientPayloadErrorinstead of silently sending an empty body.Related issues and pull requests on GitHub:
#12195.
Fixed zstd decompression failing with
ClientPayloadErrorwhen the serversends a response as multiple zstd frames -- by :user:
josu-moreno.Related issues and pull requests on GitHub:
#12234.
Fixed spurious
Future exception was never retrievedwarning on disconnect during back-pressure -- by :user:availov.Related issues and pull requests on GitHub:
#12281.
Cookiejar.save()now uses0x600permissions to better protect them from being read by other users -- by :user:digiscrypt.Related issues and pull requests on GitHub:
#12312.
Fixed a crash (:external+python:exc:
~http.cookies.CookieError) in the cookie parser when receiving cookiescontaining ASCII control characters on CPython builds with the :cve:
2026-3644patch. The parser now gracefully skips cookies whose value contains control
characters instead of letting the exception propagate -- by :user:
rodrigobnogueira.Related issues and pull requests on GitHub:
#12395.
Fixed digest authentication failing for requests whose path or query string contains percent-encoded reserved characters; the digest signature now uses the encoded request-target that is sent on the wire instead of the decoded form -- by :user:
bdraco.Related issues and pull requests on GitHub:
#12436.
Fixed :func:
aiohttp.web.run_applosing inner traceback frames when anexception is raised during application startup (e.g. inside
cleanup_ctxoron_startup). Regression since 3.10.6.Related issues and pull requests on GitHub:
#12493.
Fixed per-request
cookiesnot being dropped on cross-origin redirects -- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12550.
Fixed invalid bytes being allowed in multipart/payload headers -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#12719.
Fixed :py:meth:
~aiohttp.FormData.add_fieldaccepting invalid bytes innameandfilename-- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12721.
Fixed websocket upgrade occurring when header contained a value like
notupgrade-- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12723.
Deprecations (removal in next major release)
Deprecated :class:
~aiohttp.BasicAuthand theauth/proxy_authparameters. They will be removed in aiohttp 4.0. Use the new
:func:
~aiohttp.encode_basic_authhelper together withheaders={"Authorization": ...}(orproxy_headers={"Proxy-Authorization": ...}for proxies) instead.Note that
encode_basic_auth()defaults toutf-8, notlatin1-- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#12499.
Added deprecation warning to
aiohttp.pytest_plugin, please switch topytest-aiohttp-- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#10785.
Removals and backward incompatible breaking changes
Stopped calling :func:
socket.getfqdnas the fallback for:attr:
aiohttp.web.BaseRequest.host. :func:socket.getfqdnperforms blocking reverse DNS resolution on the event loop
thread and can stall a worker for many seconds when the system
resolver is slow, and could be triggered remotely by an HTTP/1.0
request that omits the
Hostheader. The fallback when noHostheader is present is now the local socket address therequest arrived on (transport
sockname), or an empty stringif no transport information is available. Code that relied on
the FQDN being returned must now read it from
:func:
socket.getfqdndirectly, off the event loop-- by :user:
bdraco.Related issues and pull requests on GitHub:
#9308, #12597.
Dropped support for Python 3.9 -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#11601.
Tightened outbound header serialization to reject all ASCII control
characters forbidden by :rfc:
9110#section-5.5and :rfc:9112#section-4(
0x00-0x08,0x0A-0x1F,0x7F) in status lines,header field-names, and field-values. Previously only CR, LF and NUL were
rejected. HTAB (
0x09) remains permitted in field values. Applicationsthat placed bare control characters in outbound headers will now raise
:exc:
ValueErrorinstead of emitting non-RFC-compliant bytes -- by :user:rodrigobnogueira.Related issues and pull requests on GitHub:
#12689.
Improved documentation
Replaced the deprecated
ujsonlibrary withorjsonin theclient quickstart documentation.
ujsonhas been put intomaintenance-only mode;
orjsonis the recommended alternative.-- by :user:
indoor47Related issues and pull requests on GitHub:
#10795.
Added the :doc:
threat_modelto the Sphinx documentation -- by :user:omkar-334.Related issues and pull requests on GitHub:
#12549.
Removed archived and deprecated repositories from third party list -- by :user:
Polandia94.Related issues and pull requests on GitHub:
#12726.
Added
aiointerceptto list of third-party libraries -- by :user:Polandia94.Related issues and pull requests on GitHub:
#12727.
Packaging updates and notes for downstreams
Added wheels for Android and iOS platforms -- by :user:
timrid.Related issues and pull requests on GitHub:
#11750.
Parallelized the Cython extension compilation by defaulting
build_ext.paralleltoos.cpu_count(), so each module'sgccinvocation now runs concurrently instead of one at a time-- by :user:
bdraco.Related issues and pull requests on GitHub:
#12576.
Submitted vendored
llhttpto Github's SBOM -- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12678.
Updated
llhttpto v9.4.1 -- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12681.
Contributor-facing changes
The coverage tool is now configured using the new native
auto-discovered :file:
.coveragerc.tomlfile-- by :user:
webknjaz.It is also set up to use the
ctracecore that worksaround the performance issues in the
sysmontracerwhich is default under Python 3.14.
Related issues and pull requests on GitHub:
#11826.
Fixed and reworked
autobahntests -- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12173.
Added a CI job to measure Cython coverage -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#12349.
Disabled
coverageandxdistby default to ease local development -- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12364.
Avoid installation of backports.zstd on Python 3.14 in linting dependency set
-- by :user:
seifertm.Related issues and pull requests on GitHub:
#12406.
Added
--durations=30to the benchmark CI run so the slowest tests are reported when the job hits its timeout -- by :user:aiolibsbot.Related issues and pull requests on GitHub:
#12562.
Fixed two flakey
test_middleware_uses_session_avoids_recursion_with_*teststhat hard coded
localhostin the inner middleware request; they now targetthe bound server URL so happy eyeballs cannot pick an unbound address on
Windows runners -- by :user:
bdraco.Related issues and pull requests on GitHub:
#12571.
Restricted the
isaltest dependency to CPython, sinceisal1.8.0 stopped publishing PyPy wheels and the sourcebuild requires
nasm, which is not available on the CIrunners. The
parametrize_zlib_backendfixture alreadycalls
pytest.importorskip, so PyPy continues to exercisethe
zlibandzlib_ngbackends with no furtherchanges -- by :user:
bdraco.Related issues and pull requests on GitHub:
#12589.
Fixed a flakey
test_tcp_connector_fingerprint_okby abortingthe SSL shutdown on the test's TCP connector before returning.
The graceful TLS close was occasionally outliving the test event
loop on one of the CI jobs, and the teardown
gc.collect()then surfaced the still-open transport as a
PytestUnraisableExceptionWarning-- by :user:bdraco.Related issues and pull requests on GitHub:
#12592.
Switched the
cibuildwheelbuild frontend tobuild[uv]sothat
uvprovisions every build-isolation virtual environmentin the wheel matrix, replacing the per-ABI
pipresolve with aroughly sub-second
uvresolve-- by :user:
bdraco.Related issues and pull requests on GitHub:
#12595.
Fixed flaky
test_handler_returns_not_responseandtest_handler_returns_noneby routingloop.set_debug(True)through a new
loop_debug_modefixture that disables debugmode before the
aiohttp_clientfixture finalizes. Leavingdebug on through teardown let PyPy 3.11's asyncio slow-callback
logger walk into
Task.__repr__during connector close,surfacing a spurious
RuntimeWarning: coroutine was never awaited-- by :user:bdraco.Related issues and pull requests on GitHub:
#12603.
Reduced runtime of several of the slowest unit tests
(decompress size-limit payloads from 64 MiB to 2 MiB,
test_chunk_splits_after_pausechunk count from 50000to 20000, and
test_set_cookies_max_agesleep from 2seconds to 1.1 seconds) without changing what they
exercise -- by :user:
bdraco.Related issues and pull requests on GitHub:
#12606.
Added a default 120-second per-test timeout via
pytest-timeoutso ahung test surfaces by name in CI output instead of getting hidden behind
the job-level timeout added in :pr:
12619. Theautobahnandbenchmark jobs opt out with
--timeout=0-- by :user:bdraco.*Related issues and pull reque
Configuration
📅 Schedule: (in timezone America/Chicago)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.