Skip to content

Update dependency aiohttp to v3.13.4 [SECURITY]#59

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/pypi-aiohttp-vulnerability
Open

Update dependency aiohttp to v3.13.4 [SECURITY]#59
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/pypi-aiohttp-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Nov 28, 2023
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
aiohttp 3.8.63.13.4 age confidence
aiohttp ==3.8.6==3.13.4 age confidence

aiohttp's ClientSession is vulnerable to CRLF injection via method

CVE-2023-49082 / GHSA-qvrw-v9rv-5rjx

More information

Details

Summary

Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.

Details

The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.

Previous releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.

PoC

A minimal example can be found here:
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b

Impact

If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).

Workaround

If unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).

Patch: https://github.com/aio-libs/aiohttp/pull/7806/files

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp's ClientSession is vulnerable to CRLF injection via version

CVE-2023-49081 / GHSA-q3qx-c6g2-7pw2

More information

Details

Summary

Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version.

Details

The vulnerability only occurs if the attacker can control the HTTP version of the request (including its type).
For example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the version parameter.
Furthermore, the vulnerability only occurs when the Connection header is passed to the headers parameter.

At this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection.

PoC

The POC below shows an example of providing an unvalidated array as a version:
https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e

Impact

CRLF injection leading to Request Smuggling.

Workaround

If these specific conditions are met and you are unable to upgrade, then validate the user input to the version parameter to ensure it is a str.

Patch: https://github.com/aio-libs/aiohttp/pull/7835/files

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators

CVE-2024-23829 / GHSA-8qpw-xqxj-h4r2

More information

Details

Summary

Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.

Details

These problems are rooted in pattern matching protocol elements, previously improved by PR #​3235 and GHSA-gfw2-4jvh-wgfg:

  1. The expression HTTP/(\d).(\d) lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result: HTTP/(\d)\.(\d)).

  2. The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.

  3. Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 token.

PoC

GET / HTTP/1ö1
GET / HTTP/1.𝟙
GET/: HTTP/1.1
Content-Encoding?: chunked

Impact

Primarily concerns running an aiohttp server without llhttp:

  1. behind a proxy: Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling.
  2. directly accessible or exposed behind proxies relaying malformed input: the unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities.

Patch: https://github.com/aio-libs/aiohttp/pull/8074/files

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp is vulnerable to directory traversal

CVE-2024-23334 / GHSA-5h86-8mv2-jq9f

More information

Details

Summary

Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.

Details

When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.

i.e. An application is only vulnerable with setup code like:

app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to avoid the vulnerability
])
Impact

This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with follow_symlinks set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of the follow_symlinks parameter.

Workaround

Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.

If using follow_symlinks=True outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.

Additionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.

Patch: https://github.com/aio-libs/aiohttp/pull/8079/files

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp Cross-site Scripting vulnerability on index pages for static file handling

CVE-2024-27306 / GHSA-7gpw-8wmc-pm8g

More information

Details

Summary

A XSS vulnerability exists on index pages for static file handling.

Details

When using web.static(..., show_index=True), the resulting index pages do not escape file names.

If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.

Workaround

We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.

Other users can disable show_index if unable to upgrade.

Patch: https://github.com/aio-libs/aiohttp/pull/8319/files

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests

CVE-2024-30251 / GHSA-5m98-qgg9-wh84

More information

Details

Summary

An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.

Impact

An attacker can stop the application from serving requests after sending a single request.

For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in _read_chunk_from_length()):

diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
index 227be605c..71fc2654a 100644
--- a/aiohttp/multipart.py
+++ b/aiohttp/multipart.py
@​@​ -338,6 +338,8 @​@​ class BodyPartReader:
         assert self._length is not None, "Content-Length required for chunked read"
         chunk_size = min(size, self._length - self._read_bytes)
         chunk = await self._content.read(chunk_size)
+        if self._content.at_eof():
+            self._at_eof = True
         return chunk
 
     async def _read_chunk_from_stream(self, size: int) -> bytes:

This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:
aio-libs/aiohttp@cebe526
aio-libs/aiohttp@7eecdff
aio-libs/aiohttp@f21c6f2

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp allows request smuggling due to incorrect parsing of chunk extensions

CVE-2024-52304 / GHSA-8495-4g3g-x7pr

More information

Details

Summary

The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: aio-libs/aiohttp@259edc3

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections

CVE-2025-53643 / GHSA-9548-qrrj-x5pj

More information

Details

Summary

The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: aio-libs/aiohttp@e8d774f

Severity

  • CVSS Score: 1.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP's unicode processing of header values could cause parsing discrepancies

CVE-2025-69224 / GHSA-69f9-5gxw-wvc2

More information

Details

Summary

The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: aio-libs/aiohttp@32677f2

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb

CVE-2025-69223 / GHSA-6mq8-rvhq-8wgg

More information

Details

Summary

A zip bomb can be used to execute a DoS against the aiohttp server.

Impact

An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.

Patch: aio-libs/aiohttp@2b920c3

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP has unicode match groups in regexes for ASCII protocol elements

CVE-2025-69225 / GHSA-mqqc-3gqh-h2x8

More information

Details

Summary

The parser allows non-ASCII decimals to be present in the Range header.

Impact

There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.

Patch: aio-libs/aiohttp@c7b7a04

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP vulnerable to brute-force leak of internal static file path components

CVE-2025-69226 / GHSA-54jq-c3m8-4m76

More information

Details

Summary

Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the
existence of absolute path components.

Impact

If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.

Patch: aio-libs/aiohttp@f2a86fd

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP vulnerable to DoS when bypassing asserts

CVE-2025-69227 / GHSA-jj3x-wxrx-4x23

More information

Details

Summary

When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.

Impact

If optimisations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message.

Patch: aio-libs/aiohttp@bc1319e

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP vulnerable to denial of service through large payloads

CVE-2025-69228 / GHSA-6jhg-hg63-jvvf

More information

Details

Summary

A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.

Impact

If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory.

Patch: aio-libs/aiohttp@b7dbd35

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP vulnerable to DoS through chunked messages

CVE-2025-69229 / GHSA-g84x-mcqj-x9qq

More information

Details

Summary

Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.

Impact

If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.

Patch: aio-libs/aiohttp@dc3170b
Patch: aio-libs/aiohttp@4ed97a4

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP Vulnerable to Cookie Parser Warning Storm

CVE-2025-69230 / GHSA-fh55-r93g-j68g

More information

Details

Summary

Reading multiple invalid cookies can lead to a logging storm.

Impact

If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.

Patch: aio-libs/aiohttp@64629a0

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage

CVE-2026-22815 / GHSA-w2fm-2cpv-w7v5

More information

Details

Summary

Insufficient restrictions in header/trailer handling could cause uncapped memory usage.

Impact

An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.

Patch: aio-libs/aiohttp@0c2e9da

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector

CVE-2026-34513 / GHSA-hcc4-c3v8-rx92

More information

Details

Summary

An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.

Impact

If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.

Patch: aio-libs/aiohttp@c4d77c3

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP has CRLF injection through multipart part content type header construction

CVE-2026-34514 / GHSA-2vrm-gr82-f7m5

More information

Details

Summary

An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits.

Impact

If an application allows untrusted data to be used for the multipart content_type parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.

Patch: aio-libs/aiohttp@9a6ada9

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows

CVE-2026-34515 / GHSA-p998-jp59-783m

More information

Details

Summary

On Windows the static resource handler may expose information about a NTLMv2 remote path.

Impact

If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.

Patch: aio-libs/aiohttp@0ae2aa0

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP has a Multipart Header Size Bypass

CVE-2026-34516 / GHSA-m5qp-6w8w-w647

More information

Details

Summary

A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.

Impact

Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.

Patch: aio-libs/aiohttp@8a74257

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

CVE-2026-34517 / GHSA-3wq7-rqq7-wx6j

More information

Details

Summary

For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.

Impact

If an application uses Request.post() an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.

Patch: aio-libs/aiohttp@cbb774f

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect

CVE-2026-34518 / GHSA-966j-vmvw-g2g9

More information

Details

Summary

When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.

Impact

The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.

Patch: aio-libs/aiohttp@5351c98

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP has HTTP response splitting via \r in reason phrase

CVE-2026-34519 / GHSA-mwh4-6h8g-pg8w

More information

Details

Summary

An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits.

Impact

In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the response to send something different from what the developer intended.

Patch: aio-libs/aiohttp@53b35a2

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

CVE-2026-34520 / GHSA-63hf-3vf5-4wqf

More information

Details

Summary

The C parser (the default for most installs) accepted null bytes and control characters is response headers.

Impact

An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin() may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.

Patch: aio-libs/aiohttp@9370b97

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AIOHTTP accepts duplicate Host headers

CVE-2026-34525 / GHSA-c427-h43c-vf67

More information

Details

Summary

Multiple Host headers were allowed in aiohttp.

Impact

Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain().

Patch: aio-libs/aiohttp@e00ca3c
Patch: aio-libs/aiohttp@53e2e6f

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

References

@renovate renovate Bot changed the title Update dependency aiohttp to v3.9.0 [SECURITY] Update dependency aiohttp to v3.9.2 [SECURITY] Jan 30, 2024
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 00aa75c to 56d6b07 Compare January 30, 2024 00:00
@renovate renovate Bot changed the title Update dependency aiohttp to v3.9.2 [SECURITY] Update dependency aiohttp to v3.9.4 [SECURITY] Apr 18, 2024
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 56d6b07 to 9a1c463 Compare April 18, 2024 17:06
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 2 times, most recently from 6f6e6b9 to 48936a8 Compare August 9, 2024 18:35
@renovate renovate Bot changed the title Update dependency aiohttp to v3.9.4 [SECURITY] Update dependency aiohttp to v3.10.2 [SECURITY] Aug 9, 2024
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 48936a8 to da412db Compare November 19, 2024 00:13
@renovate renovate Bot changed the title Update dependency aiohttp to v3.10.2 [SECURITY] Update dependency aiohttp to v3.10.11 [SECURITY] Nov 19, 2024
@renovate renovate Bot changed the title Update dependency aiohttp to v3.10.11 [SECURITY] Update dependency aiohttp to v3.11.9 [SECURITY] Dec 3, 2024
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from da412db to 3593f8a Compare December 3, 2024 13:46
@renovate renovate Bot changed the title Update dependency aiohttp to v3.11.9 [SECURITY] Update dependency aiohttp to v3.10.11 [SECURITY] Dec 3, 2024
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 2 times, most recently from c3fb934 to be87a25 Compare December 10, 2024 12:21
@renovate renovate Bot changed the title Update dependency aiohttp to v3.10.11 [SECURITY] Update dependency aiohttp to v3.11.10 [SECURITY] Dec 10, 2024
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from be87a25 to 00e8c62 Compare December 10, 2024 21:56
@renovate renovate Bot changed the title Update dependency aiohttp to v3.11.10 [SECURITY] Update dependency aiohttp to v3.10.11 [SECURITY] Dec 10, 2024
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 2 times, most recently from 6904f7c to 3b9312e Compare December 21, 2024 03:01
@renovate renovate Bot changed the title Update dependency aiohttp to v3.10.11 [SECURITY] Update dependency aiohttp to v3.11.11 [SECURITY] Dec 21, 2024
@renovate renovate Bot changed the title Update dependency aiohttp to v3.11.11 [SECURITY] Update dependency aiohttp to v3.10.11 [SECURITY] Dec 21, 2024
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 3b9312e to 274f9f3 Compare December 22, 2024 20:01
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 274f9f3 to 2efde78 Compare January 14, 2025 15:38
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 2efde78 to 6540731 Compare January 30, 2025 17:28
@renovate renovate Bot changed the title Update dependency aiohttp to v3.10.11 [SECURITY] Update dependency aiohttp to v3.11.11 [SECURITY] Feb 4, 2025
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 6540731 to 486e226 Compare February 4, 2025 14:52
@renovate renovate Bot changed the title Update dependency aiohttp to v3.11.11 [SECURITY] Update dependency aiohttp to v3.10.11 [SECURITY] Feb 4, 2025
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 486e226 to 77cd1cc Compare February 9, 2025 14:03
@renovate renovate Bot changed the title Update dependency aiohttp to v3.10.11 [SECURITY] Update dependency aiohttp to v3.10.11 [SECURITY] - autoclosed Feb 26, 2025
@renovate renovate Bot closed this Feb 26, 2025
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 2 times, most recently from 429642e to 2898b00 Compare April 8, 2025 10:11
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 2898b00 to 254aac1 Compare April 23, 2025 19:56
@renovate renovate Bot changed the title Update dependency aiohttp to v3.10.11 [SECURITY] Update dependency aiohttp to v3.11.18 [SECURITY] Apr 23, 2025
@renovate renovate Bot changed the title Update dependency aiohttp to v3.11.18 [SECURITY] Update dependency aiohttp to v3.10.11 [SECURITY] Apr 23, 2025
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 254aac1 to 16a44a2 Compare April 24, 2025 07:14
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 16a44a2 to 54e9177 Compare May 7, 2025 12:03
@renovate renovate Bot changed the title Update dependency aiohttp to v3.10.11 [SECURITY] Update dependency aiohttp to v3.11.18 [SECURITY] May 19, 2025
@renovate renovate Bot changed the title Update dependency aiohttp to v3.11.18 [SECURITY] Update dependency aiohttp to v3.10.11 [SECURITY] May 19, 2025
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 54e9177 to 637281b Compare June 18, 2025 14:37
@renovate renovate Bot changed the title Update dependency aiohttp to v3.10.11 [SECURITY] Update dependency aiohttp to v3.10.11 [SECURITY] - autoclosed Jul 4, 2025
@renovate renovate Bot closed this Jul 4, 2025
@renovate renovate Bot changed the title Update dependency aiohttp to v3.10.11 [SECURITY] - autoclosed Update dependency aiohttp to v3.10.11 [SECURITY] Jul 4, 2025
@renovate renovate Bot reopened this Jul 4, 2025
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 2 times, most recently from 637281b to 774e9df Compare July 4, 2025 21:54
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 774e9df to 19ec253 Compare July 14, 2025 23:08
@renovate renovate Bot changed the title Update dependency aiohttp to v3.10.11 [SECURITY] Update dependency aiohttp to v3.12.14 [SECURITY] Jul 14, 2025
@renovate renovate Bot changed the title Update dependency aiohttp to v3.12.14 [SECURITY] Update dependency aiohttp to v3.12.15 [SECURITY] Jul 29, 2025
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 19ec253 to 94831bc Compare July 29, 2025 17:55
@renovate renovate Bot changed the title Update dependency aiohttp to v3.12.15 [SECURITY] Update dependency aiohttp to v3.12.14 [SECURITY] Jul 30, 2025
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 94831bc to d0f1142 Compare August 10, 2025 14:23
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from d0f1142 to 23bfaf3 Compare September 26, 2025 04:55
@renovate renovate Bot changed the title Update dependency aiohttp to v3.12.14 [SECURITY] Update dependency aiohttp to v3.12.15 [SECURITY] Sep 26, 2025
@renovate renovate Bot changed the title Update dependency aiohttp to v3.12.15 [SECURITY] Update dependency aiohttp to v3.12.14 [SECURITY] Sep 26, 2025
@renovate renovate Bot changed the title Update dependency aiohttp to v3.12.14 [SECURITY] Update dependency aiohttp to v3.12.15 [SECURITY] Sep 29, 2025
@renovate renovate Bot changed the title Update dependency aiohttp to v3.12.15 [SECURITY] Update dependency aiohttp to v3.12.14 [SECURITY] Sep 29, 2025
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 2 times, most recently from 22fac12 to 3218432 Compare October 10, 2025 20:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants