29 matches found
UBUNTU-CVE-2026-54279
AIOHTTP is an asynchronous HTTP client/server framework for asyncio an...
UBUNTU-CVE-2026-54273
AIOHTTP is an asynchronous HTTP client/server framework for asyncio an...
UBUNTU-CVE-2026-54277
AIOHTTP is an asynchronous HTTP client/server framework for asyncio an...
UBUNTU-CVE-2026-54278
AIOHTTP is an asynchronous HTTP client/server framework for asyncio an...
UBUNTU-CVE-2026-54274
AIOHTTP is an asynchronous HTTP client/server framework for asyncio an...
UBUNTU-CVE-2026-54276
AIOHTTP is an asynchronous HTTP client/server framework for asyncio an...
GHSA-9X8Q-7H8H-WCW9 aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect
Summary Payload resources are not closed correctly when a client disconnects in the middle of a write. Impact If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file...
GHSA-G3CQ-J2XW-WF74 aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup
Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS a zip bomb edge case. Workaround...
GHSA-2FQR-MR3J-6WP8 aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
Summary Host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed. ----- Patch:...
HTTP Response Splitting
Overview Affected versions of this package are vulnerable to HTTP Response Splitting via MultipartWriter.append or Payload.headers when attacker-controlled input is included in multipart or payload headers. An attacker can inject additional headers or alter the contents of a request by supplying...
UBUNTU-CVE-2026-34993
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using CookieJar.load with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect man...
UBUNTU-CVE-2026-47265
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the cookies parameter on requests are sent after following a cross-origin redirect. If a developer uses the cookies parameter on a per-request basis then sensitive data might ...
Linux Distros Unpatched Vulnerability : CVE-2026-34517
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire...
HTTP Response Splitting
Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the reason parameter in the HTTP response creation process. An attacker can inject unauthorized headers or manipulate the HTTP response by supplying specially crafted input containing carriage return...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the static resource handler on Windows. An attacker can extract NTLMv2 credential hashes by accessing specially crafted remote paths, potentially leading to credential theft. Remediation Upgrade aioht...
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
Summary On Windows the static resource handler may expose information about a NTLMv2 remote path. Impact If an application is running on Windows, and using aiohttp's static resource handler not recommended in production, then it may be possible for an attacker to extract the hash from an NTLMv2...
DEBIAN-CVE-2026-34520
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...
UBUNTU-CVE-2026-34525
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4...
UBUNTU-CVE-2026-34514
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the contenttype parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4...
CVE-2026-34513 AIOHTTP: Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4...