Aiohttp Session Security Vulnerabilities and Issues — Aiohttp Session CVE List

Lucene search

Aio-libsAiohttp Session

8 matches found

CVE•added 2024/11/18 9:15 p.m.•2649 views

CVE-2024-52304

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed ...

7.5CVSS7AI score0.00168EPSS

CVE•added 2024/04/18 3:15 p.m.•304 views

CVE-2024-27306

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following th...

6.1CVSS5.5AI score0.00508EPSS

CVE•added 2024/05/02 2:15 p.m.•268 views

CVE-2024-30251

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further request...

7.5CVSS6.3AI score0.00271EPSS

CVE•added 2024/08/12 1:38 p.m.•240 views

CVE-2024-42367

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (.gz or .br extension) are vulnerable to path traversal outside the root directory if those variants are...

4.8CVSS5.3AI score0.00267EPSS

CVE•added 2024/11/18 8:15 p.m.•235 views

CVE-2024-52303

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchIn...

8.7CVSS7.3AI score0.00229EPSS

CVE•added 2018/06/26 4:29 p.m.•65 views

CVE-2018-1000519

aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method ...

6.5CVSS6.3AI score0.00217EPSS

CVE•added 2018/12/20 3:29 p.m.•62 views

CVE-2018-1000814

aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value.

6.5CVSS6.3AI score0.00241EPSS

CVE•added 2025/07/14 9:15 p.m.•44 views

CVE-2025-53643

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the u...

7.5CVSS7.3AI score0.00044EPSS