Aio-Libs Aiohttp vulnerabilities

CVE-2026-22815 [MEDIUM] CWE-400 CVE-2026-22815: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.

CVE-2026-34516 [MEDIUM] CWE-770 CVE-2026-34516: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched in version 3.13.4.

CVE-2026-34515 [MEDIUM] CWE-36 CVE-2026-34515: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.

CVE-2026-34525 [MEDIUM] CWE-20 CVE-2026-34525: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.

CVE-2026-34517 [LOW] CWE-770 CVE-2026-34517: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.

CVE-2026-34520 [LOW] CWE-113 CVE-2026-34520: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.

CVE-2026-34519 [LOW] CWE-113 CVE-2026-34519: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

CVE-2026-34514 [LOW] CWE-113 CVE-2026-34514: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

CVE-2026-34513 [LOW] CWE-770 CVE-2026-34513: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.

CVE-2026-34518 [LOW] CWE-200 CVE-2026-34518: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4.

CVE-2025-69227 [MEDIUM] CWE-835 CVE-2025-69227: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.po

CVE-2025-69229 [MEDIUM] CWE-770 CVE-2025-69229: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 a AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server

CVE-2025-69228 [MEDIUM] CWE-770 CVE-2025-69228: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhau

CVE-2025-69230 [LOW] CWE-779 CVE-2025-69230: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 a AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. This issue is f

CVE-2025-69225 [LOW] CWE-444 CVE-2025-69225: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3.

CVE-2025-69223 [HIGH] CWE-409 CVE-2025-69223: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.

CVE-2025-69224 [MEDIUM] CWE-444 CVE-2025-69224: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker

CVE-2025-69226 [MEDIUM] CWE-22 CVE-2025-69226: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it m

CVE-2025-53643 [LOW] CWE-444 CVE-2025-53643: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled,

CVE-2024-52303 [HIGH] CWE-772 CVE-2024-52303: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. An attacker ma