Skip to content

chore(deps): update dependency aiohttp to v3.14.1 [security]#284

Open
renovate[bot] wants to merge 1 commit into
v0.3-devfrom
renovate/pypi-aiohttp-vulnerability
Open

chore(deps): update dependency aiohttp to v3.14.1 [security]#284
renovate[bot] wants to merge 1 commit into
v0.3-devfrom
renovate/pypi-aiohttp-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 1, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
aiohttp 3.13.33.14.1 age confidence

aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage

CVE-2026-22815 / GHSA-w2fm-2cpv-w7v5

More information

Details

Summary

Insufficient restrictions in header/trailer handling could cause uncapped memory usage.

Impact

An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.


Patch: aio-libs/aiohttp@0c2e9da

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector

CVE-2026-34513 / GHSA-hcc4-c3v8-rx92

More information

Details

Summary

An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.

Impact

If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.


Patch: aio-libs/aiohttp@c4d77c3

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP has CRLF injection through multipart part content type header construction

CVE-2026-34514 / GHSA-2vrm-gr82-f7m5

More information

Details

Summary

An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits.

Impact

If an application allows untrusted data to be used for the multipart content_type parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.


Patch: aio-libs/aiohttp@9a6ada9

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows

CVE-2026-34515 / GHSA-p998-jp59-783m

More information

Details

Summary

On Windows the static resource handler may expose information about a NTLMv2 remote path.

Impact

If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.


Patch: aio-libs/aiohttp@0ae2aa0

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP has a Multipart Header Size Bypass

CVE-2026-34516 / GHSA-m5qp-6w8w-w647

More information

Details

Summary

A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.

Impact

Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.


Patch: aio-libs/aiohttp@8a74257

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

CVE-2026-34517 / GHSA-3wq7-rqq7-wx6j

More information

Details

Summary

For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.

Impact

If an application uses Request.post() an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.


Patch: aio-libs/aiohttp@cbb774f

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect

CVE-2026-34518 / GHSA-966j-vmvw-g2g9

More information

Details

Summary

When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.

Impact

The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.


Patch: aio-libs/aiohttp@5351c98

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP has HTTP response splitting via \r in reason phrase

CVE-2026-34519 / GHSA-mwh4-6h8g-pg8w

More information

Details

Summary

An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits.

Impact

In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the response to send something different from what the developer intended.


Patch: aio-libs/aiohttp@53b35a2

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

CVE-2026-34520 / GHSA-63hf-3vf5-4wqf

More information

Details

Summary

The C parser (the default for most installs) accepted null bytes and control characters is response headers.

Impact

An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin() may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.


Patch: aio-libs/aiohttp@9370b97

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP accepts duplicate Host headers

CVE-2026-34525 / GHSA-c427-h43c-vf67

More information

Details

Summary

Multiple Host headers were allowed in aiohttp.

Impact

Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain().


Patch: aio-libs/aiohttp@e00ca3c
Patch: aio-libs/aiohttp@53e2e6f

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP is Vulnerable to Deserialization of Untrusted Data

CVE-2026-34993 / GHSA-jg22-mg44-37j8

More information

Details

Summary

Using CookieJar.load() with untrusted input may allow arbitrary code execution.

Impact

Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.

Workaround

If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading.


Patch: aio-libs/aiohttp@dcf40f3

Severity

  • CVSS Score: 6.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP is vulnerable to cross-origin redirect with per-request cookies

CVE-2026-47265 / GHSA-hg6j-4rv6-33pg

More information

Details

Summary

Cookies set with the cookies parameter on requests are sent after following a cross-origin redirect.

Impact

If a developer uses the cookies parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect.

Workaround

If unable to upgrade, using a Cookie header in the headers parameter is not vulnerable.


Patch: aio-libs/aiohttp@f54c408

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence

CVE-2026-54279 / GHSA-2fqr-mr3j-6wp8

More information

Details

Summary

Host-only cookies that are saved with CookieJar.save() and then restored later with CookieJar.load() lose their host-only status.

Impact

Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed.


Patch: aio-libs/aiohttp@a329a7a

Severity

  • CVSS Score: 1.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp: CRLF injection in multipart headers

CVE-2026-50269 / GHSA-m6qw-4cw2-hm4m

More information

Details

Summary

Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar.

Impact

In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request.

Workaround

Sanitise such user input.


Patch: aio-libs/aiohttp@bf88077

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup

CVE-2026-54278 / GHSA-g3cq-j2xw-wf74

More information

Details

Summary

During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk.

Impact

An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case).

Workaround

Disable compression if unable to upgrade.


Patch: aio-libs/aiohttp@4f7480e

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines

CVE-2026-54277 / GHSA-63hw-fmq6-xxg2

More information

Details

Summary

It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser.

Impact

If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS.


Patch: aio-libs/aiohttp@5ab61bb

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp: HTTP/1 Pipelined Requests Queue Without Limit

CVE-2026-54273 / GHSA-4fvr-rgm6-gqmc

More information

Details

Summary

No limit was present on the number of pipelined requests that could be queued.

Impact

An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS.


Patch: aio-libs/aiohttp@dfdfa9d

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect

CVE-2026-54280 / GHSA-9x8q-7h8h-wcw9

More information

Details

Summary

Payload resources are not closed correctly when a client disconnects in the middle of a write.

Impact

If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file.


Patch: aio-libs/aiohttp@a762eda

Severity

  • CVSS Score: 1.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp: Incomplete websocket frame payloads bypass memory limits

CVE-2026-54274 / GHSA-xcgm-r5h9-7989

More information

Details

Summary

If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use.

Impact

If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive memory use.


Patch: aio-libs/aiohttp@14b6ee8

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges

CVE-2026-54276 / GHSA-hpj7-wq8m-9hgp

More information

Details

Summary

DigestAuthMiddleware can send an authentication response after following a cross-origin redirect.

Impact

If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest.

This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse.

Workaround

Disable follow_redirects if this is a concern.


Patch: aio-libs/aiohttp@38d1606

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections

CVE-2026-54275 / GHSA-4m7w-qmgq-4wj5

More information

Details

Summary

The server_hostname TLS SNI check can be bypassed when an existing connection is reused.

Impact

If an application makes multiple requests to the same domain, but with different per-request server_hostname parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check.

Workaround

Disable keep_alive if you need to change the server_hostname check between requests.


Patch: aio-libs/aiohttp@0ca2b6c

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP has CRLF injection through multipart part content type header construction

CVE-2026-34514 / GHSA-2vrm-gr82-f7m5

More information

Details

Summary

An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits.

Impact

If an application allows untrusted data to be used for the multipart content_type parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.


Patch: aio-libs/aiohttp@9a6ada9

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

CVE-2026-34517 / GHSA-3wq7-rqq7-wx6j

More information

Details

Summary

For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.

Impact

If an application uses Request.post() an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.


Patch: aio-libs/aiohttp@cbb774f

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

CVE-2026-34520 / GHSA-63hf-3vf5-4wqf

More information

Details

Summary

The C parser (the default for most installs) accepted null bytes and control characters is response headers.

Impact

An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin() may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.


Patch: aio-libs/aiohttp@9370b97

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect

CVE-2026-34518 / GHSA-966j-vmvw-g2g9

More information

Details

Summary

When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.

Impact

The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.


Patch: aio-libs/aiohttp@5351c98

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP accepts duplicate Host headers

CVE-2026-34525 / GHSA-c427-h43c-vf67

More information

Details

Summary

Multiple Host headers were allowed in aiohttp.

Impact

Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain().


Patch: aio-libs/aiohttp@e00ca3c
Patch: aio-libs/aiohttp@53e2e6f

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector

CVE-2026-34513 / GHSA-hcc4-c3v8-rx92

More information

Details

Summary

An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.

Impact

If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.


Patch: aio-libs/aiohttp@c4d77c3

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP has a Multipart Header Size Bypass

CVE-2026-34516 / GHSA-m5qp-6w8w-w647

More information

Details

Summary

A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.

Impact

Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.


Patch: aio-libs/aiohttp@8a74257

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP has HTTP response splitting via \r in reason phrase

CVE-2026-34519 / GHSA-mwh4-6h8g-pg8w

More information

Details

Summary

An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits.

Impact

In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the response to send something different from what the developer intended.


Patch: aio-libs/aiohttp@53b35a2

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows

CVE-2026-34515 / GHSA-p998-jp59-783m

More information

Details

Summary

On Windows the static resource handler may expose information about a NTLMv2 remote path.

Impact

If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.


Patch: aio-libs/aiohttp@0ae2aa0

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage

CVE-2026-22815 / GHSA-w2fm-2cpv-w7v5

More information

Details

Summary

Insufficient restrictions in header/trailer handling could cause uncapped memory usage.

Impact

An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.


Patch: aio-libs/aiohttp@0c2e9da

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP is vulnerable to cross-origin redirect with per-request cookies

CVE-2026-47265 / GHSA-hg6j-4rv6-33pg

More information

Details

Summary

Cookies set with the cookies parameter on requests are sent after following a cross-origin redirect.

Impact

If a developer uses the cookies parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect.

Workaround

If unable to upgrade, using a Cookie header in the headers parameter is not vulnerable.


Patch: aio-libs/aiohttp@f54c408

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP is Vulnerable to Deserialization of Untrusted Data

CVE-2026-34993 / GHSA-jg22-mg44-37j8

More information

Details

Summary

Using CookieJar.load() with untrusted input may allow arbitrary code execution.

Impact

Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.

Workaround

If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading.


Patch: aio-libs/aiohttp@dcf40f3

Severity

  • CVSS Score: 6.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L

References

Note

PR body was truncated to here.

@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@renovate renovate Bot changed the title chore(deps): update dependency aiohttp to v3.13.4 [security] chore(deps): update dependency aiohttp to v3.13.4 [security] - autoclosed Jun 23, 2026
@renovate renovate Bot closed this Jun 23, 2026
@renovate renovate Bot deleted the renovate/pypi-aiohttp-vulnerability branch June 23, 2026 19:14
@renovate renovate Bot changed the title chore(deps): update dependency aiohttp to v3.13.4 [security] - autoclosed chore(deps): update dependency aiohttp to v3.14.1 [security] Jun 23, 2026
@renovate renovate Bot reopened this Jun 23, 2026
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 2 times, most recently from ebadf0c to b5d6c95 Compare June 23, 2026 22:10
@github-actions github-actions Bot changed the base branch from main to v0.3-dev June 23, 2026 22:11
@github-actions

Copy link
Copy Markdown
Contributor

👋 This PR targeted main, so I've retargeted it to the latest dev branch v0.3-dev.

main is protected and is only an alias of the latest release branch (v0.3.x), kept in lockstep automatically. Active v0.3 work lands on v0.3-dev, which reaches v0.3.x through the standing release-gate PR once the cross-repo E2E matrix is green.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant