Lucene search
K

39 matches found

CVE
CVE
added 2024/11/18 8:12 p.m.3093 views

CVE-2024-52304

CVE-2024-52304 – aiohttp request-smuggling vulnerability : Prior to 3.10.11, aiohttp’s Python parser mishandled newlines in chunk extensions, enabling a request-smuggling condition under certain scenarios. If a pure-Python build (no C extensions) or AIOHTTP_NO_EXTENSIONS is used, an attacker coul...

7.5CVSS7AI score0.00576EPSS
CVE
CVE
added 2024/01/29 10:41 p.m.410 views

CVE-2024-23829

CVE-2024-23829 affects aiohttp (Python HTTP client/server). The issue stems from lenient HTTP parsing in security-sensitive parts of the parser, which could fail to robustly match frame boundaries and allow request smuggling, and may trigger unhandled exceptions leading to resource exhaustion. Co...

6.5CVSS6.9AI score0.0102EPSS
CVE
CVE
added 2023/11/14 8:48 p.m.400 views

CVE-2023-47627

aiohttp (Python asyncio HTTP client/server) contains a vulnerability in its HTTP parser that can lead to request smuggling when the parser is used (AIOHTTP_NO_EXTENSIONS). The issue is fixed in release 3.8.6; upgrade to 3.8.6 or later. The vulnerability is tied to header parsing and is addressed ...

7.5CVSS6.6AI score0.0085EPSS
CVE
CVE
added 2023/11/30 6:56 a.m.396 views

CVE-2023-49081

CVE-2023-49081 affects aiohttp (HTTP header/HTTP version validation issues) with remediation across multiple vendors: Debian advisories show fixes for python-aiohttp (Debian 11 bullseye: 3.7.4-1+deb11u1; DSA-5828-1 fixes to 3.8.4-1+deb12u1), IBM Storage Fusion bulletin requires upgrading to 2.8.0...

7.2CVSS6AI score0.00874EPSS
CVE
CVE
added 2023/11/29 8:7 p.m.376 views

CVE-2023-49082

CVE-2023-49082 : aiohttp contains improper validation that can enable an attacker to modify the HTTP request (for example inserting headers) or create a new HTTP request when the attacker can control the HTTP method. The impact is described as enabling request modification and potential request s...

5.3CVSS5.9AI score0.0094EPSS
CVE
CVE
added 2024/04/18 2:23 p.m.372 views

CVE-2024-27306

CVE-2024-27306 : An XSS vulnerability exists in aiohttp’s index pages for static file handling. Root cause: improper validation of input on index/static file pages. The issue is fixed in aiohttp 3.9.4. Public advisories recommend upgrading to the patched version; for those unable to upgrade, a wo...

6.1CVSS5.5AI score0.00666EPSS
CVE
CVE
added 2024/05/02 1:55 p.m.337 views

CVE-2024-30251

CVE-2024-30251 affects aio-libs aiohttp. An attacker can send a specially crafted POST (multipart/form-data) request and the aiohttp server may enter an infinite loop while processing it, causing a denial of service. The issue is addressed in a patched version (3.9.4); remediation is to upgrade t...

7.5CVSS6.3AI score0.01085EPSS
CVE
CVE
added 2021/02/26 2:15 a.m.250 views

CVE-2021-21330

CVE-2021-21330 affects aiohttp up to version 3.7.4, with an open redirect caused by a bug in aiohttp.web_middlewares.normalize_path_middleware. The vulnerability allows a malicious link to redirect a user’s browser to an attacker-controlled site. The issue is fixed in aiohttp 3.7.4. Remediation: ...

6.1CVSS5.7AI score0.01905EPSS
CVE
CVE
added 2026/06/02 6:29 p.m.126 views

CVE-2026-34993

In CVE-2026-34993, AIOHTTP prior to 3.14.0 is vulnerable: using CookieJar.load() with untrusted input may lead to arbitrary code execution. The issue stems from deserializing untrusted data in the cookie jar. The advisory notes that most applications will be unaffected since data are user-owned, ...

7.3CVSS6.1AI score0.00128EPSS
CVE
CVE
added 2025/07/14 8:17 p.m.123 views

CVE-2025-53643

CVE-2025-53643 (aiohttp) : Prior to 3.12.14, the Python parser is vulnerable to HTTP request smuggling due to not parsing trailer sections. If a pure-Python build (no C extensions) or AIOHTTP_NO_EXTENSIONS is used, an attacker may smuggle requests to bypass certain firewalls/proxy protections. Th...

7.5CVSS7.3AI score0.00297EPSS
CVE
CVE
added 2023/11/14 8:44 p.m.105 views

CVE-2023-47641

CVE-2023-47641 affects aiohttp (Python), where HTTP/1.1 handling can misinterpret requests when both Content-Length and Transfer-Encoding headers are present. The vendor describes a PoC using a reverse proxy that accepts both headers, with aiohttp backend treating chunked input as valid and Conte...

6.5CVSS5.1AI score0.00827EPSS
CVE
CVE
added 2026/06/02 6:32 p.m.88 views

CVE-2026-47265

AIOHTTP prior to 3.14.0 is vulnerable: cookies provided via the cookies parameter on per-request calls are sent after following a cross-origin redirect, which may leak sensitive data if an attacker can control the redirect. Version 3.14.0 patches the issue. As a workaround, using a Cookie header ...

8.7CVSS5.8AI score0.0015EPSS
CVE
CVE
added 2026/06/22 4:32 p.m.52 views

CVE-2026-54279

CVE-2026-54279 affects the aiohttp library (Python asyncio framework). Prior to version 3.14.1, host-only cookies saved with CookieJar.save() and later restored with CookieJar.load() may lose their host-only status, effectively becoming domain cookies. The issue is fixed in aiohttp 3.14.1. Affect...

7.5CVSS5.8AI score0.00279EPSS
CVE
CVE
added 2026/06/22 4:37 p.m.49 views

CVE-2026-54277

CVE-2026-54277 affects AIOHTTP prior to 3.14.1 where the max_line_size check in parts of the C HTTP parser can be bypassed, allowing an attacker to send oversized lines and cause excessive memory use leading to DoS. The issue occurs when using the optimized C parser (default in pre-built wheels)....

8.7CVSS5.8AI score0.00322EPSS
CVE
CVE
added 2026/06/22 4:36 p.m.47 views

CVE-2026-54276

CVE-2026-54276 affects the AIOHTTP framework prior to version 3.14.1, where DigestAuthMiddleware could send an authentication response after following a cross-origin redirect. This requires an open redirect or similar condition on the target domain and exposes the Digest header, potentially allow...

6.3CVSS5.9AI score0.00178EPSS
CVE
CVE
added 2026/04/01 8:15 p.m.44 views

CVE-2026-34518

CVE-2026-34518 affects aiohttp prior to 3.13.4: during cross-origin redirects, the client/server framework drops the Authorization header but keeps Cookie and Proxy-Authorization headers. This could expose sensitive cookie-related data across origins. The issue is fixed in aiohttp 3.13.4.

6.9CVSS5.8AI score0.00337EPSS
CVE
CVE
added 2026/06/22 4:41 p.m.42 views

CVE-2026-54273

CVE-2026-54273 (AIOHTTP) affects the AIOHTTP project (async HTTP client/server for asyncio and Python). Prior to version 3.14.1, there was no limit on the number of pipelined HTTP/1 requests that could be queued, enabling potential memory exhaustion and DoS. The issue is fixed in 3.14.1. The prov...

8.7CVSS5.8AI score0.00279EPSS
CVE
CVE
added 2026/06/22 4:33 p.m.42 views

CVE-2026-54274

The CVE-2026-54274 entry concerns AIOHTTP (async HTTP framework for asyncio/Python). It identifies that prior to version 3.14.1, an attacker could send large incomplete websocket frame payloads, potentially bypassing memory-use limits. The vulnerability affects AIOHTTP’s websocket handling logic ...

8.7CVSS5.8AI score0.00305EPSS
CVE
CVE
added 2026/06/22 4:40 p.m.40 views

CVE-2026-54280

CVE-2026-54280 affects the AIOHTTP project (async HTTP client/server for asyncio/Python). Before version 3.14.1, payload resources may not be closed correctly if a client disconnects mid-write, allowing temporary resource starvation when a payload uses a limited resource (e.g., open files). The i...

7.5CVSS5.8AI score0.00281EPSS
CVE
CVE
added 2026/04/01 8:14 p.m.37 views

CVE-2026-34517

CVE-2026-34517 (AIOHTTP) affects the AIOHTTP Python library. Before version 3.13.4, some multipart form fields caused the library to read the entire field into memory before enforcing the request size limit (client_max_size), creating a potential memory-based denial of service. The issue has been...

6.9CVSS5.8AI score0.00384EPSS
CVE
CVE
added 2026/01/05 10:35 p.m.33 views

CVE-2025-69224

AIOHTTP (Python) vulnerability CVE-2025-69224 affects versions 3.13.2 and below of the Python HTTP parser. The issue arises from how non-ASCII characters may enable a request smuggling attack, potentially bypassing firewalls or proxy protections when a pure-Python build is used or AIOHTTP_NO_EXTE...

6.5CVSS6.6AI score0.00213EPSS
CVE
CVE
added 2026/01/05 11:37 p.m.33 views

CVE-2025-69229

CVE-2025-69229 affects aiohttp up to version 3.13.2, where chunked message handling can cause excessive blocking CPU time when processing many chunks, potentially enabling DoS. The issue is fixed in version 3.13.3. Remediation: upgrade to 3.13.3 or newer. Notes from connected docs confirm the DoS...

8.7CVSS6.2AI score0.00338EPSS
CVE
CVE
added 2026/04/01 8:6 p.m.33 views

CVE-2026-34513

CVE-2026-34513 affects aiohttp prior to 3.13.4, where an unbounded DNS cache could cause excessive memory usage leading to a DoS. The issue has been patched in 3.13.4. Affected component: aiohttp (async HTTP client/server for asyncio). Root cause: unbounded DNS cache memory growth. Impact: potent...

7.5CVSS5.8AI score0.0044EPSS
CVE
CVE
added 2026/04/01 8:28 p.m.33 views

CVE-2026-34525

AIOHTTP (async HTTP client/server for asyncio and Python) before version 3.13.4 allowed multiple Host headers due to its header handling. This issue has been fixed in version 3.13.4. Affected component: Host header processing in aiohttp prior to 3.13.4. Remediation: upgrade to 3.13.4 or later. Ex...

6.3CVSS5.8AI score0.00288EPSS
CVE
CVE
added 2026/06/22 4:34 p.m.33 views

CVE-2026-54275

CVE-2026-54275 (aiohttp) affects the aiohttp package prior to 3.14.1. The issue is a TLS server_hostname SNI check bypass that occurs when an existing connection is reused for multiple requests with different per-request server_hostname values. As a result, later requests to the same domain may r...

7.5CVSS5.8AI score0.00266EPSS
CVE
CVE
added 2026/01/05 11:16 p.m.32 views

CVE-2025-69225

CVE-2025-69225 affects the aiohttp project (versions 3.13.2 and below) where the Range header parser incorrectly allows non-ASCII decimals. The description notes no known impact but discloses a potential method for exploiting a request smuggling vulnerability; remediation is to upgrade to 3.13.3....

6.9CVSS6.3AI score0.00236EPSS
CVE
CVE
added 2026/04/01 8:27 p.m.32 views

CVE-2026-34520

CVE-2026-34520 affects the aiohttp project. Prior to version 3.13.4, the C parser (llhttp, default for most installs) accepted null bytes and control characters in response header values, enabling header-related issues. The issue has been patched in aiohttp 3.13.4. Per connected sources, the vuln...

9.1CVSS5.8AI score0.00461EPSS
CVE
CVE
added 2026/06/22 4:38 p.m.32 views

CVE-2026-54278

CVE-2026-54278 affects the AIOHTTP framework for Python. Prior to 3.14.1, during cleanup a compressed request body could be decompressed in memory in one chunk, potentially enabling a DoS via a zip-bomb scenario. Impact is described as high for availability and no confidentiality/integrity impact...

8.7CVSS5.8AI score0.00279EPSS
CVE
CVE
added 2026/04/01 8:8 p.m.30 views

CVE-2026-22815

CVE-2026-22815 affects aiohttp (Python asyncio HTTP framework). Prior to version 3.13.4, insufficient restrictions in header/trailer handling could lead to unbounded memory growth; this was patched in 3.13.4. A Nessus/NVD-style CVE entry confirms the issue and the fix. Remediation: upgrade to aio...

7.5CVSS5.8AI score0.0044EPSS
CVE
CVE
added 2026/01/05 10:52 p.m.29 views

CVE-2025-69226

CVE-2025-69226 affects AIOHTTP (async HTTP client/server for asyncio) where versions 3.13.2 and below leak information about absolute path components via the static file path normalization logic when using web.static(). This can enable an attacker to determine path components; the issue is fixed ...

6.3CVSS6.2AI score0.00313EPSS
CVE
CVE
added 2026/01/05 10:0 p.m.28 views

CVE-2025-69223

CVE-2025-69223 affects AIOHTTP (async HTTP framework for asyncio/Python). Version 3.13.2 and earlier are vulnerable to a zip bomb that, when decompressed by the server, can exhaust memory and cause a DoS. The issue is resolved in version 3.13.3. In practice, an attacker could send a compressed re...

7.5CVSS6.5AI score0.00487EPSS
CVE
CVE
added 2026/01/05 11:30 p.m.27 views

CVE-2025-69228

CVE-2025-69228 affects the AIOHTTP project. Versions 3.13.2 and earlier allow a crafted request, particularly involving handlers that use Request.post(), to cause memory exhaustion on the server, leading to a denial of service. The issue is remediation by upgrading to 3.13.3. The provided sources...

8.7CVSS6.3AI score0.00347EPSS
CVE
CVE
added 2026/01/05 11:47 p.m.27 views

CVE-2025-69230

CVE-2025-69230 affects the AIOHTTP project (async HTTP client/server for asyncio and Python). In versions 3.13.2 and earlier, reading multiple invalid cookies can trigger a storm of warning-level logs when a malicious Cookie header is crafted. The issue is fixed in version 3.13.3. Impact is descr...

6.9CVSS6.2AI score0.00332EPSS
CVE
CVE
added 2026/04/01 8:9 p.m.26 views

CVE-2026-34514

CVE-2026-34514 affects AIOHTTP prior to 3.13.4, where the content_type parameter used when constructing multipart headers could enable CRLF injection leading to extra header insertion. The vulnerability is mitigated by upgrading to 3.13.4, which patches the issue. The CVSS data (MEDIUM, network v...

6.9CVSS5.8AI score0.00315EPSS
CVE
CVE
added 2026/06/22 4:30 p.m.26 views

CVE-2026-50269

CVE-2026-50269 affects the AIOHTTP library (asyncio-based HTTP client/server). The issue is a CRLF/header injection vulnerability in multipart handling: attacker-controlled input passed to MultipartWriter.append(headers=...) or Payload.headers could allow modifying the outgoing request (injection...

7.5CVSS5.8AI score0.00301EPSS
CVE
CVE
added 2026/01/05 11:19 p.m.21 views

CVE-2025-69227

CVE-2025-69227 affects AIOHTTP (async HTTP client/server for asyncio) with vulnerable versions 3.13.2 and earlier. The issue is an infinite loop that can trigger a DoS when assert statements are bypassed during POST body processing; if optimizations are enabled (-O or PYTHONOPTIMIZE=1) and a hand...

8.7CVSS6.5AI score0.00337EPSS
CVE
CVE
added 2026/04/01 8:13 p.m.18 views

CVE-2026-34516

This CVE concerns AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may cause higher memory usage, enabling a DoS vulnerability. The issue has been patched in 3.13.4. Affected: AIOHTTP up...

8.7CVSS5.7AI score0.0044EPSS
CVE
CVE
added 2026/04/01 8:26 p.m.16 views

CVE-2026-34519

CVE-2026-34519 affects the AIOHTTP library (asyncio-based HTTP client/server for Python). The issue occurs before version 3.13.4 where an attacker controlling the reason parameter when creating a Response can inject extra headers or similar exploits due to header injection in the reason phrase. T...

6.9CVSS5.7AI score0.00292EPSS
CVE
CVE
added 2026/04/01 8:10 p.m.14 views

CVE-2026-34515

CVE-2026-34515 affects the AIOHTTP framework prior to 3.13.4. On Windows, the static resource handler could expose information about a NTLMv2 remote path, enabling UNC SSRF and potential credential exposure or local file read. The issue has been fixed in version 3.13.4. The CVE entry (CVE-2026-34...

8.7CVSS5.8AI score0.00433EPSS