1147 matches found
EUVD-2026-1045
AIOHTTP vulnerable to DoS when bypassing asserts...
Infinite loop
Overview Affected versions of this package are vulnerable to Infinite loop in the Request.post function. An attacker can cause the application to exhaust system resources by sending a POST request. Note: This is only exploitable if Python optimizations are enabled using the -O flag or setting...
a-mailx (=0.1.0), aba-cli-scrapper (>=0.1.1 <=0.1.6) +1249 more potentially affected by CVE-2025-69227 via aiohttp (>=0.13.1 <=3.13.2)
aiohttp PYPI version =0.13.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =0.1.0, =0.1.31, =0.1.37 and more Source cves: CVE-2025-69227 Source advisory: OSV:GHSA-JJ3X-WXRX-4X23...
a-mailx (=0.1.0), aba-cli-scrapper (>=0.1.1 <=0.1.6) +1120 more potentially affected by CVE-2025-69227 via aiohttp (>=3.0.0b0 <=3.13.2)
aiohttp PYPI version =3.0.0b0, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =0.1.0, =0.1.31, =0.1.37 and more Source cves: CVE-2025-69227 Source advisory: SNYK:PYTHON-AIOHTTP-14871979...
AIOHTTP vulnerable to DoS when bypassing asserts
Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. Impact If optimisations are enabled -O or PYTHONOPTIMIZE=1, and the application includes a handler that uses the Request.post method, then an attacker may be able to...
GHSA-JJ3X-WXRX-4X23 AIOHTTP vulnerable to DoS when bypassing asserts
Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. Impact If optimisations are enabled -O or PYTHONOPTIMIZE=1, and the application includes a handler that uses the Request.post method, then an attacker may be able to...
a-mailx (=0.1.0), aba-cli-scrapper (>=0.1.1 <=0.1.6) +1120 more potentially affected by CVE-2025-69226 via aiohttp (>=3.0.0b0 <=3.13.2)
aiohttp PYPI version =3.0.0b0, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =0.1.0, =0.1.31, =0.1.37 and more Source cves: CVE-2025-69226 Source advisory: SNYK:PYTHON-AIOHTTP-14871888...
EUVD-2026-1046
AIOHTTP vulnerable to brute-force leak of internal static file path components...
a-mailx (=0.1.0), aba-cli-scrapper (>=0.1.1 <=0.1.6) +1249 more potentially affected by CVE-2025-69226 via aiohttp (>=0.13.1 <=3.13.2)
aiohttp PYPI version =0.13.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =0.1.0, =0.1.31, =0.1.37 and more Source cves: CVE-2025-69226 Source advisory: OSV:GHSA-54JQ-C3M8-4M76...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure over the /static endpoint. An attacker can determine the existence of internal path components by sending requests to probe for absolute path elements. Remediation Upgrade aiohttp to version 3.13.3 or higher...
AIOHTTP vulnerable to brute-force leak of internal static file path components
Summary Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components. Impact If an application uses web.static not recommended for production deployments, it may be possible for an attacker to ascertai...
GHSA-54JQ-C3M8-4M76 AIOHTTP vulnerable to brute-force leak of internal static file path components
Summary Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components. Impact If an application uses web.static not recommended for production deployments, it may be possible for an attacker to ascertai...
a-mailx (=0.1.0), aba-cli-scrapper (>=0.1.1 <=0.1.6) +1120 more potentially affected by CVE-2025-69225 via aiohttp (>=3.0.0b0 <=3.13.2)
aiohttp PYPI version =3.0.0b0, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =0.1.0, =0.1.31, =0.1.37 and more Source cves: CVE-2025-69225 Source advisory: SNYK:PYTHON-AIOHTTP-14871929...
EUVD-2026-1047
AIOHTTP has unicode match groups in regexes for ASCII protocol elements...
HTTP Request Smuggling
Overview Affected versions of this package are vulnerable to HTTP Request Smuggling via the parsing of Range headers. An attacker can potentially interfere with HTTP request processing by supplying non-ASCII decimals in the header, which may lead to unexpected parser mismatches. Remediation Upgra...
a-mailx (=0.1.0), aba-cli-scrapper (>=0.1.1 <=0.1.6) +1249 more potentially affected by CVE-2025-69225 via aiohttp (>=0.13.1 <=3.13.2)
aiohttp PYPI version =0.13.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =0.1.0, =0.1.31, =0.1.37 and more Source cves: CVE-2025-69225 Source advisory: OSV:GHSA-MQQC-3GQH-H2X8...
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
Summary The parser allows non-ASCII decimals to be present in the Range header. Impact There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. ---- Patch:...
GHSA-MQQC-3GQH-H2X8 AIOHTTP has unicode match groups in regexes for ASCII protocol elements
Summary The parser allows non-ASCII decimals to be present in the Range header. Impact There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. ---- Patch:...
a-mailx (=0.1.0), aba-cli-scrapper (>=0.1.1 <=0.1.6) +1249 more potentially affected by CVE-2025-69224 via aiohttp (>=0.13.1 <=3.13.2)
aiohttp PYPI version =0.13.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =0.1.0, =0.1.31, =0.1.37 and more Source cves: CVE-2025-69224 Source advisory: OSV:GHSA-69F9-5GXW-WVC2...
a-mailx (=0.1.0), aba-cli-scrapper (>=0.1.1 <=0.1.6) +1120 more potentially affected by CVE-2025-69224 via aiohttp (>=3.0.0b0 <=3.13.2)
aiohttp PYPI version =3.0.0b0, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =0.1.0, =0.1.31, =0.1.37 and more Source cves: CVE-2025-69224 Source advisory: SNYK:PYTHON-AIOHTTP-14871873...