39 matches found
CVE-2024-52304
CVE-2024-52304 – aiohttp request-smuggling vulnerability : Prior to 3.10.11, aiohttp’s Python parser mishandled newlines in chunk extensions, enabling a request-smuggling condition under certain scenarios. If a pure-Python build (no C extensions) or AIOHTTP_NO_EXTENSIONS is used, an attacker coul...
CVE-2024-23829
CVE-2024-23829 affects aiohttp (Python HTTP client/server). The issue stems from lenient HTTP parsing in security-sensitive parts of the parser, which could fail to robustly match frame boundaries and allow request smuggling, and may trigger unhandled exceptions leading to resource exhaustion. Co...
CVE-2023-47627
aiohttp (Python asyncio HTTP client/server) contains a vulnerability in its HTTP parser that can lead to request smuggling when the parser is used (AIOHTTP_NO_EXTENSIONS). The issue is fixed in release 3.8.6; upgrade to 3.8.6 or later. The vulnerability is tied to header parsing and is addressed ...
CVE-2023-49081
CVE-2023-49081 affects aiohttp (HTTP header/HTTP version validation issues) with remediation across multiple vendors: Debian advisories show fixes for python-aiohttp (Debian 11 bullseye: 3.7.4-1+deb11u1; DSA-5828-1 fixes to 3.8.4-1+deb12u1), IBM Storage Fusion bulletin requires upgrading to 2.8.0...
CVE-2023-49082
CVE-2023-49082 : aiohttp contains improper validation that can enable an attacker to modify the HTTP request (for example inserting headers) or create a new HTTP request when the attacker can control the HTTP method. The impact is described as enabling request modification and potential request s...
CVE-2024-27306
CVE-2024-27306 : An XSS vulnerability exists in aiohttp’s index pages for static file handling. Root cause: improper validation of input on index/static file pages. The issue is fixed in aiohttp 3.9.4. Public advisories recommend upgrading to the patched version; for those unable to upgrade, a wo...
CVE-2024-30251
CVE-2024-30251 affects aio-libs aiohttp. An attacker can send a specially crafted POST (multipart/form-data) request and the aiohttp server may enter an infinite loop while processing it, causing a denial of service. The issue is addressed in a patched version (3.9.4); remediation is to upgrade t...
CVE-2021-21330
CVE-2021-21330 affects aiohttp up to version 3.7.4, with an open redirect caused by a bug in aiohttp.web_middlewares.normalize_path_middleware. The vulnerability allows a malicious link to redirect a user’s browser to an attacker-controlled site. The issue is fixed in aiohttp 3.7.4. Remediation: ...
CVE-2026-34993
In CVE-2026-34993, AIOHTTP prior to 3.14.0 is vulnerable: using CookieJar.load() with untrusted input may lead to arbitrary code execution. The issue stems from deserializing untrusted data in the cookie jar. The advisory notes that most applications will be unaffected since data are user-owned, ...
CVE-2025-53643
CVE-2025-53643 (aiohttp) : Prior to 3.12.14, the Python parser is vulnerable to HTTP request smuggling due to not parsing trailer sections. If a pure-Python build (no C extensions) or AIOHTTP_NO_EXTENSIONS is used, an attacker may smuggle requests to bypass certain firewalls/proxy protections. Th...
CVE-2023-47641
CVE-2023-47641 affects aiohttp (Python), where HTTP/1.1 handling can misinterpret requests when both Content-Length and Transfer-Encoding headers are present. The vendor describes a PoC using a reverse proxy that accepts both headers, with aiohttp backend treating chunked input as valid and Conte...
CVE-2026-47265
AIOHTTP prior to 3.14.0 is vulnerable: cookies provided via the cookies parameter on per-request calls are sent after following a cross-origin redirect, which may leak sensitive data if an attacker can control the redirect. Version 3.14.0 patches the issue. As a workaround, using a Cookie header ...
CVE-2026-54279
CVE-2026-54279 affects the aiohttp library (Python asyncio framework). Prior to version 3.14.1, host-only cookies saved with CookieJar.save() and later restored with CookieJar.load() may lose their host-only status, effectively becoming domain cookies. The issue is fixed in aiohttp 3.14.1. Affect...
CVE-2026-54277
CVE-2026-54277 affects AIOHTTP prior to 3.14.1 where the max_line_size check in parts of the C HTTP parser can be bypassed, allowing an attacker to send oversized lines and cause excessive memory use leading to DoS. The issue occurs when using the optimized C parser (default in pre-built wheels)....
CVE-2026-54276
CVE-2026-54276 affects the AIOHTTP framework prior to version 3.14.1, where DigestAuthMiddleware could send an authentication response after following a cross-origin redirect. This requires an open redirect or similar condition on the target domain and exposes the Digest header, potentially allow...
CVE-2026-34518
CVE-2026-34518 affects aiohttp prior to 3.13.4: during cross-origin redirects, the client/server framework drops the Authorization header but keeps Cookie and Proxy-Authorization headers. This could expose sensitive cookie-related data across origins. The issue is fixed in aiohttp 3.13.4.
CVE-2026-54273
CVE-2026-54273 (AIOHTTP) affects the AIOHTTP project (async HTTP client/server for asyncio and Python). Prior to version 3.14.1, there was no limit on the number of pipelined HTTP/1 requests that could be queued, enabling potential memory exhaustion and DoS. The issue is fixed in 3.14.1. The prov...
CVE-2026-54274
The CVE-2026-54274 entry concerns AIOHTTP (async HTTP framework for asyncio/Python). It identifies that prior to version 3.14.1, an attacker could send large incomplete websocket frame payloads, potentially bypassing memory-use limits. The vulnerability affects AIOHTTP’s websocket handling logic ...
CVE-2026-54280
CVE-2026-54280 affects the AIOHTTP project (async HTTP client/server for asyncio/Python). Before version 3.14.1, payload resources may not be closed correctly if a client disconnects mid-write, allowing temporary resource starvation when a payload uses a limited resource (e.g., open files). The i...
CVE-2026-34517
CVE-2026-34517 (AIOHTTP) affects the AIOHTTP Python library. Before version 3.13.4, some multipart form fields caused the library to read the entire field into memory before enforcing the request size limit (client_max_size), creating a potential memory-based denial of service. The issue has been...
CVE-2025-69224
AIOHTTP (Python) vulnerability CVE-2025-69224 affects versions 3.13.2 and below of the Python HTTP parser. The issue arises from how non-ASCII characters may enable a request smuggling attack, potentially bypassing firewalls or proxy protections when a pure-Python build is used or AIOHTTP_NO_EXTE...
CVE-2025-69229
CVE-2025-69229 affects aiohttp up to version 3.13.2, where chunked message handling can cause excessive blocking CPU time when processing many chunks, potentially enabling DoS. The issue is fixed in version 3.13.3. Remediation: upgrade to 3.13.3 or newer. Notes from connected docs confirm the DoS...
CVE-2026-34513
CVE-2026-34513 affects aiohttp prior to 3.13.4, where an unbounded DNS cache could cause excessive memory usage leading to a DoS. The issue has been patched in 3.13.4. Affected component: aiohttp (async HTTP client/server for asyncio). Root cause: unbounded DNS cache memory growth. Impact: potent...
CVE-2026-34525
AIOHTTP (async HTTP client/server for asyncio and Python) before version 3.13.4 allowed multiple Host headers due to its header handling. This issue has been fixed in version 3.13.4. Affected component: Host header processing in aiohttp prior to 3.13.4. Remediation: upgrade to 3.13.4 or later. Ex...
CVE-2026-54275
CVE-2026-54275 (aiohttp) affects the aiohttp package prior to 3.14.1. The issue is a TLS server_hostname SNI check bypass that occurs when an existing connection is reused for multiple requests with different per-request server_hostname values. As a result, later requests to the same domain may r...
CVE-2025-69225
CVE-2025-69225 affects the aiohttp project (versions 3.13.2 and below) where the Range header parser incorrectly allows non-ASCII decimals. The description notes no known impact but discloses a potential method for exploiting a request smuggling vulnerability; remediation is to upgrade to 3.13.3....
CVE-2026-34520
CVE-2026-34520 affects the aiohttp project. Prior to version 3.13.4, the C parser (llhttp, default for most installs) accepted null bytes and control characters in response header values, enabling header-related issues. The issue has been patched in aiohttp 3.13.4. Per connected sources, the vuln...
CVE-2026-54278
CVE-2026-54278 affects the AIOHTTP framework for Python. Prior to 3.14.1, during cleanup a compressed request body could be decompressed in memory in one chunk, potentially enabling a DoS via a zip-bomb scenario. Impact is described as high for availability and no confidentiality/integrity impact...
CVE-2026-22815
CVE-2026-22815 affects aiohttp (Python asyncio HTTP framework). Prior to version 3.13.4, insufficient restrictions in header/trailer handling could lead to unbounded memory growth; this was patched in 3.13.4. A Nessus/NVD-style CVE entry confirms the issue and the fix. Remediation: upgrade to aio...
CVE-2025-69226
CVE-2025-69226 affects AIOHTTP (async HTTP client/server for asyncio) where versions 3.13.2 and below leak information about absolute path components via the static file path normalization logic when using web.static(). This can enable an attacker to determine path components; the issue is fixed ...
CVE-2025-69223
CVE-2025-69223 affects AIOHTTP (async HTTP framework for asyncio/Python). Version 3.13.2 and earlier are vulnerable to a zip bomb that, when decompressed by the server, can exhaust memory and cause a DoS. The issue is resolved in version 3.13.3. In practice, an attacker could send a compressed re...
CVE-2025-69228
CVE-2025-69228 affects the AIOHTTP project. Versions 3.13.2 and earlier allow a crafted request, particularly involving handlers that use Request.post(), to cause memory exhaustion on the server, leading to a denial of service. The issue is remediation by upgrading to 3.13.3. The provided sources...
CVE-2025-69230
CVE-2025-69230 affects the AIOHTTP project (async HTTP client/server for asyncio and Python). In versions 3.13.2 and earlier, reading multiple invalid cookies can trigger a storm of warning-level logs when a malicious Cookie header is crafted. The issue is fixed in version 3.13.3. Impact is descr...
CVE-2026-34514
CVE-2026-34514 affects AIOHTTP prior to 3.13.4, where the content_type parameter used when constructing multipart headers could enable CRLF injection leading to extra header insertion. The vulnerability is mitigated by upgrading to 3.13.4, which patches the issue. The CVSS data (MEDIUM, network v...
CVE-2026-50269
CVE-2026-50269 affects the AIOHTTP library (asyncio-based HTTP client/server). The issue is a CRLF/header injection vulnerability in multipart handling: attacker-controlled input passed to MultipartWriter.append(headers=...) or Payload.headers could allow modifying the outgoing request (injection...
CVE-2025-69227
CVE-2025-69227 affects AIOHTTP (async HTTP client/server for asyncio) with vulnerable versions 3.13.2 and earlier. The issue is an infinite loop that can trigger a DoS when assert statements are bypassed during POST body processing; if optimizations are enabled (-O or PYTHONOPTIMIZE=1) and a hand...
CVE-2026-34516
This CVE concerns AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may cause higher memory usage, enabling a DoS vulnerability. The issue has been patched in 3.13.4. Affected: AIOHTTP up...
CVE-2026-34519
CVE-2026-34519 affects the AIOHTTP library (asyncio-based HTTP client/server for Python). The issue occurs before version 3.13.4 where an attacker controlling the reason parameter when creating a Response can inject extra headers or similar exploits due to header injection in the reason phrase. T...
CVE-2026-34515
CVE-2026-34515 affects the AIOHTTP framework prior to 3.13.4. On Windows, the static resource handler could expose information about a NTLMv2 remote path, enabling UNC SSRF and potential credential exposure or local file read. The issue has been fixed in version 3.13.4. The CVE entry (CVE-2026-34...