46 matches found
aiohttp 安全漏洞
Aiohttp is an open-source framework developed by aio-libs, used for asynchronous HTTP client/server interactions with asyncio and Python. Versions of AIOHTTP prior to 3.13.4 contained security vulnerabilities; these vulnerabilities stemmed from responses that included too many multipart headers,...
PT-2026-29609
Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description The C parser, used by default in most installations, allowed null bytes and control characters within response headers. An attacker could leverage this to send header values that are interpreted...
PT-2026-29608
Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. An attacker controlling the reason parameter when creating a Response may inject extra headers or similar exploits. Th...
Security update for python-aiohttp
This update for python-aiohttp fixes the following issues: CVE-2025-69228: Fixed denial of service through large payloads bsc1256022. CVE-2025-69226: Fixed brute-force leak of internal static file path components bsc1256020. CVE-2025-69224: Fixed unicode processing of header values could cause...
CVE-2025-69228
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post method, ...
CVE-2025-69229
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read method in an endpoint, it...
Linux Distros Unpatched Vulnerability : CVE-2025-69224
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smugglin...
Linux Distros Unpatched Vulnerability : CVE-2025-69227
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert...
CVE-2025-69227 AIOHTTP vulnerable to DoS when bypassing asserts
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled -O or PYTHONOPTIMIZE=1, and the...
CVE-2025-69227
CVE-2025-69227 affects AIOHTTP (async HTTP client/server for asyncio) with vulnerable versions 3.13.2 and earlier. The issue is an infinite loop that can trigger a DoS when assert statements are bypassed during POST body processing; if optimizations are enabled (-O or PYTHONOPTIMIZE=1) and a hand...
CVE-2025-69227
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled -O or PYTHONOPTIMIZE=1, and the...
CVE-2025-69225 AIOHTTP Regex Mismatch Allows Unicode in ASCII-Only Protocol Fields
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request...
CVE-2025-69225
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request...
CVE-2025-69224
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed i.e. without the usual C extensions ...
CVE-2025-69226
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses...
CVE-2025-69226 AIOHTTP allows for a brute-force leak of internal static filepath components
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses...
CVE-2025-69224 AIOHTTP's Unicode processing of header values could cause parsing discrepancies
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed i.e. without the usual C extensions ...
CVE-2025-69224
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed i.e. without the usual C extensions ...
aiohttp 环境问题漏洞
aiohttp is an open source asynchronous HTTP client/server framework for asyncio and Python from aio-libs open source. An environment issue vulnerability exists in aiohttp 3.13.2 and earlier versions, which stems from the presence of non-ASCII characters that could allow a request entrapment attac...
PT-2026-1355
Name of the Vulnerable Software and Affected Versions AIOHTTP versions 3.13.2 and below Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Handling of chunked messages in versions 3.13.2 and below can lead to excessive blocking CPU usage when receiving a...