chore(deps): update dependency aiohttp to v3.14.1 [security]#284
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency aiohttp to v3.14.1 [security]#284renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
|
|
ebadf0c to
b5d6c95
Compare
Contributor
|
👋 This PR targeted
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.13.3→3.14.1aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
CVE-2026-22815 / GHSA-w2fm-2cpv-w7v5
More information
Details
Summary
Insufficient restrictions in header/trailer handling could cause uncapped memory usage.
Impact
An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.
Patch: aio-libs/aiohttp@0c2e9da
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
CVE-2026-34513 / GHSA-hcc4-c3v8-rx92
More information
Details
Summary
An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.
Impact
If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.
Patch: aio-libs/aiohttp@c4d77c3
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has CRLF injection through multipart part content type header construction
CVE-2026-34514 / GHSA-2vrm-gr82-f7m5
More information
Details
Summary
An attacker who controls the
content_typeparameter in aiohttp could use this to inject extra headers or similar exploits.Impact
If an application allows untrusted data to be used for the multipart
content_typeparameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.Patch: aio-libs/aiohttp@9a6ada9
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
CVE-2026-34515 / GHSA-p998-jp59-783m
More information
Details
Summary
On Windows the static resource handler may expose information about a NTLMv2 remote path.
Impact
If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.
Patch: aio-libs/aiohttp@0ae2aa0
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has a Multipart Header Size Bypass
CVE-2026-34516 / GHSA-m5qp-6w8w-w647
More information
Details
Summary
A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.
Impact
Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.
Patch: aio-libs/aiohttp@8a74257
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
CVE-2026-34517 / GHSA-3wq7-rqq7-wx6j
More information
Details
Summary
For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.
Impact
If an application uses
Request.post()an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.Patch: aio-libs/aiohttp@cbb774f
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
CVE-2026-34518 / GHSA-966j-vmvw-g2g9
More information
Details
Summary
When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.
Impact
The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.
Patch: aio-libs/aiohttp@5351c98
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has HTTP response splitting via \r in reason phrase
CVE-2026-34519 / GHSA-mwh4-6h8g-pg8w
More information
Details
Summary
An attacker who controls the
reasonparameter when creating aResponsemay be able to inject extra headers or similar exploits.Impact
In the unlikely situation that an application allows untrusted data to be used in the response's
reasonparameter, then an attacker could manipulate the response to send something different from what the developer intended.Patch: aio-libs/aiohttp@53b35a2
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
CVE-2026-34520 / GHSA-63hf-3vf5-4wqf
More information
Details
Summary
The C parser (the default for most installs) accepted null bytes and control characters is response headers.
Impact
An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example,
request.url.origin()may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.Patch: aio-libs/aiohttp@9370b97
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP accepts duplicate Host headers
CVE-2026-34525 / GHSA-c427-h43c-vf67
More information
Details
Summary
Multiple Host headers were allowed in aiohttp.
Impact
Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using
Application.add_domain().Patch: aio-libs/aiohttp@e00ca3c
Patch: aio-libs/aiohttp@53e2e6f
Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
CVE-2026-34993 / GHSA-jg22-mg44-37j8
More information
Details
Summary
Using
CookieJar.load()with untrusted input may allow arbitrary code execution.Impact
Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.
Workaround
If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading.
Patch: aio-libs/aiohttp@dcf40f3
Severity
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
CVE-2026-47265 / GHSA-hg6j-4rv6-33pg
More information
Details
Summary
Cookies set with the
cookiesparameter on requests are sent after following a cross-origin redirect.Impact
If a developer uses the
cookiesparameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect.Workaround
If unable to upgrade, using a
Cookieheader in theheadersparameter is not vulnerable.Patch: aio-libs/aiohttp@f54c408
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
CVE-2026-54279 / GHSA-2fqr-mr3j-6wp8
More information
Details
Summary
Host-only cookies that are saved with
CookieJar.save()and then restored later withCookieJar.load()lose their host-only status.Impact
Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed.
Patch: aio-libs/aiohttp@a329a7a
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: CRLF injection in multipart headers
CVE-2026-50269 / GHSA-m6qw-4cw2-hm4m
More information
Details
Summary
Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar.
Impact
In the unlikely situation that an application is passing user-controlled strings into
MultipartWriter.append(headers=...)orPayload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request.Workaround
Sanitise such user input.
Patch: aio-libs/aiohttp@bf88077
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup
CVE-2026-54278 / GHSA-g3cq-j2xw-wf74
More information
Details
Summary
During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk.
Impact
An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case).
Workaround
Disable compression if unable to upgrade.
Patch: aio-libs/aiohttp@4f7480e
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines
CVE-2026-54277 / GHSA-63hw-fmq6-xxg2
More information
Details
Summary
It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser.
Impact
If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS.
Patch: aio-libs/aiohttp@5ab61bb
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: HTTP/1 Pipelined Requests Queue Without Limit
CVE-2026-54273 / GHSA-4fvr-rgm6-gqmc
More information
Details
Summary
No limit was present on the number of pipelined requests that could be queued.
Impact
An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS.
Patch: aio-libs/aiohttp@dfdfa9d
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect
CVE-2026-54280 / GHSA-9x8q-7h8h-wcw9
More information
Details
Summary
Payload resources are not closed correctly when a client disconnects in the middle of a write.
Impact
If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file.
Patch: aio-libs/aiohttp@a762eda
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: Incomplete websocket frame payloads bypass memory limits
CVE-2026-54274 / GHSA-xcgm-r5h9-7989
More information
Details
Summary
If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use.
Impact
If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive memory use.
Patch: aio-libs/aiohttp@14b6ee8
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
CVE-2026-54276 / GHSA-hpj7-wq8m-9hgp
More information
Details
Summary
DigestAuthMiddlewarecan send an authentication response after following a cross-origin redirect.Impact
If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest.
This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse.
Workaround
Disable
follow_redirectsif this is a concern.Patch: aio-libs/aiohttp@38d1606
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
CVE-2026-54275 / GHSA-4m7w-qmgq-4wj5
More information
Details
Summary
The
server_hostnameTLS SNI check can be bypassed when an existing connection is reused.Impact
If an application makes multiple requests to the same domain, but with different per-request
server_hostnameparameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check.Workaround
Disable keep_alive if you need to change the
server_hostnamecheck between requests.Patch: aio-libs/aiohttp@0ca2b6c
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has CRLF injection through multipart part content type header construction
CVE-2026-34514 / GHSA-2vrm-gr82-f7m5
More information
Details
Summary
An attacker who controls the
content_typeparameter in aiohttp could use this to inject extra headers or similar exploits.Impact
If an application allows untrusted data to be used for the multipart
content_typeparameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.Patch: aio-libs/aiohttp@9a6ada9
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
CVE-2026-34517 / GHSA-3wq7-rqq7-wx6j
More information
Details
Summary
For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.
Impact
If an application uses
Request.post()an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.Patch: aio-libs/aiohttp@cbb774f
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
CVE-2026-34520 / GHSA-63hf-3vf5-4wqf
More information
Details
Summary
The C parser (the default for most installs) accepted null bytes and control characters is response headers.
Impact
An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example,
request.url.origin()may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.Patch: aio-libs/aiohttp@9370b97
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
CVE-2026-34518 / GHSA-966j-vmvw-g2g9
More information
Details
Summary
When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.
Impact
The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.
Patch: aio-libs/aiohttp@5351c98
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP accepts duplicate Host headers
CVE-2026-34525 / GHSA-c427-h43c-vf67
More information
Details
Summary
Multiple Host headers were allowed in aiohttp.
Impact
Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using
Application.add_domain().Patch: aio-libs/aiohttp@e00ca3c
Patch: aio-libs/aiohttp@53e2e6f
Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
CVE-2026-34513 / GHSA-hcc4-c3v8-rx92
More information
Details
Summary
An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.
Impact
If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.
Patch: aio-libs/aiohttp@c4d77c3
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has a Multipart Header Size Bypass
CVE-2026-34516 / GHSA-m5qp-6w8w-w647
More information
Details
Summary
A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.
Impact
Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.
Patch: aio-libs/aiohttp@8a74257
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has HTTP response splitting via \r in reason phrase
CVE-2026-34519 / GHSA-mwh4-6h8g-pg8w
More information
Details
Summary
An attacker who controls the
reasonparameter when creating aResponsemay be able to inject extra headers or similar exploits.Impact
In the unlikely situation that an application allows untrusted data to be used in the response's
reasonparameter, then an attacker could manipulate the response to send something different from what the developer intended.Patch: aio-libs/aiohttp@53b35a2
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
CVE-2026-34515 / GHSA-p998-jp59-783m
More information
Details
Summary
On Windows the static resource handler may expose information about a NTLMv2 remote path.
Impact
If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.
Patch: aio-libs/aiohttp@0ae2aa0
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
CVE-2026-22815 / GHSA-w2fm-2cpv-w7v5
More information
Details
Summary
Insufficient restrictions in header/trailer handling could cause uncapped memory usage.
Impact
An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.
Patch: aio-libs/aiohttp@0c2e9da
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
CVE-2026-47265 / GHSA-hg6j-4rv6-33pg
More information
Details
Summary
Cookies set with the
cookiesparameter on requests are sent after following a cross-origin redirect.Impact
If a developer uses the
cookiesparameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect.Workaround
If unable to upgrade, using a
Cookieheader in theheadersparameter is not vulnerable.Patch: aio-libs/aiohttp@f54c408
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
CVE-2026-34993 / GHSA-jg22-mg44-37j8
More information
Details
Summary
Using
CookieJar.load()with untrusted input may allow arbitrary code execution.Impact
Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.
Workaround
If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading.
Patch: aio-libs/aiohttp@dcf40f3
Severity
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:LReferences