Python/aiohttp/3.10.4

Async http client/server framework (asyncio)

https://pypi.org/project/aiohttp
Apache-2.0

20 Security Vulnerabilities

AIOHTTP has CRLF injection through multipart part content type header construction

Published date: 2026-04-01T21:20:06Z
CVE: CVE-2026-34514
Links:

Summary

An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits.

Impact

If an application allows untrusted data to be used for the multipart content_type parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.

Patch: https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

Published date: 2026-04-01T21:47:07Z
CVE: CVE-2026-34517
Links:

Summary

For some multipart form fields, aiohttp read the entire field into memory before checking clientmaxsize.

Impact

If an application uses Request.post() an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.

Patch: https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP vulnerable to brute-force leak of internal static file path components

Published date: 2026-01-05T23:09:51Z
CVE: CVE-2025-69226
Links:

Summary

Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components.

Impact

If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.

Patch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e

Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

Published date: 2026-04-01T21:49:06Z
CVE: CVE-2026-34520
Links:

Summary

The C parser (the default for most installs) accepted null bytes and control characters is response headers.

Impact

An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin() may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.

Patch: https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP's unicode processing of header values could cause parsing discrepancies

Published date: 2026-01-05T22:58:57Z
CVE: CVE-2025-69224
Links:

Summary

The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTPNOEXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0

Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP vulnerable to denial of service through large payloads

Published date: 2026-01-05T23:13:14Z
CVE: CVE-2025-69228
Links:

Summary

A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.

Impact

If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory.

Patch: https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60

Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb

Published date: 2026-01-05T22:58:41Z
CVE: CVE-2025-69223
Links:

Summary

A zip bomb can be used to execute a DoS against the aiohttp server.

Impact

An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.

Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a

Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

aiohttp allows request smuggling due to incorrect parsing of chunk extensions

Published date: 2024-11-18T21:02:32Z
CVE: CVE-2024-52304
Links:

Summary

The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

Affected versions: ["3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections

Published date: 2025-07-14T19:33:31Z
CVE: CVE-2025-53643
Links:

Summary

The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTPNOEXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a

Affected versions: ["3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect

Published date: 2026-04-01T21:47:46Z
CVE: CVE-2026-34518
Links:

Summary

When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.

Impact

The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.

Patch: https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP accepts duplicate Host headers

Published date: 2026-04-01T21:49:45Z
CVE: CVE-2026-34525
Links:

Summary

Multiple Host headers were allowed in aiohttp.

Impact

Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain().

Patch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349 Patch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP Vulnerable to Cookie Parser Warning Storm

Published date: 2026-01-05T23:13:46Z
CVE: CVE-2025-69230
Links:

Summary

Reading multiple invalid cookies can lead to a logging storm.

Impact

If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.

Patch: https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326

Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP vulnerable to DoS through chunked messages

Published date: 2026-01-05T23:13:29Z
CVE: CVE-2025-69229
Links:

Summary

Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.

Impact

If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.

Patch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712 Patch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229

Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector

Published date: 2026-04-01T21:19:22Z
CVE: CVE-2026-34513
Links:

Summary

An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.

Impact

If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.

Patch: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP vulnerable to DoS when bypassing asserts

Published date: 2026-01-05T23:10:15Z
CVE: CVE-2025-69227
Links:

Summary

When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.

Impact

If optimisations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message.

Patch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259

Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP has a Multipart Header Size Bypass

Published date: 2026-04-01T21:43:07Z
CVE: CVE-2026-34516
Links:

Summary

A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.

Impact

Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.

Patch: https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP has unicode match groups in regexes for ASCII protocol elements

Published date: 2026-01-05T23:09:30Z
CVE: CVE-2025-69225
Links:

Summary

The parser allows non-ASCII decimals to be present in the Range header.

Impact

There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.

Patch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96

Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP has HTTP response splitting via \r in reason phrase

Published date: 2026-04-01T21:48:24Z
CVE: CVE-2026-34519
Links:

Summary

An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits.

Impact

In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the response to send something different from what the developer intended.

Patch: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows

Published date: 2026-04-01T21:26:36Z
CVE: CVE-2026-34515
Links:

Summary

On Windows the static resource handler may expose information about a NTLMv2 remote path.

Impact

If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.

Patch: https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage

Published date: 2026-04-01T19:45:17Z
CVE: CVE-2026-22815
Links:

Summary

Insufficient restrictions in header/trailer handling could cause uncapped memory usage.

Impact

An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.

Patch: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.

308 Other Versions

Version License Security Released
4.0.0a1 Apache-2.0 2019-10-09 - 11:29 over 6 years
4.0.0a0 Apache-2.0 2019-01-09 - 01:25 over 7 years
3.13.5 Apache-2.0
3.13.4 Apache-2.0
3.13.3 Apache-2.0 10
3.13.2 Apache-2.0 18
3.13.1 Apache-2.0 18
3.13.0 Apache-2.0 18
3.12.15 Apache-2.0 18
3.12.14 Apache-2.0 18
3.12.13 Apache-2.0 19
3.12.12 Apache-2.0 19
3.12.11 Apache-2.0 19
3.12.10 Apache-2.0 19
3.12.9 Apache-2.0 19
3.12.8 Apache-2.0 19
3.12.7 Apache-2.0 19
3.12.6 Apache-2.0 19
3.12.4 Apache-2.0 19
3.12.3 Apache-2.0 19
3.12.2 Apache-2.0 19
3.12.1 Apache-2.0 19
3.12.0 Apache-2.0 19
3.12.0rc1 Apache-2.0 19
3.12.0rc0 Apache-2.0 19
3.12.1rc0 Apache-2.0 19
3.12.7rc0 Apache-2.0 19
3.12.0b3 Apache-2.0 19
3.12.0b2 Apache-2.0 19
3.12.0b1 Apache-2.0 19
3.12.0b0 Apache-2.0 19
3.11.18 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.17 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.16 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.15 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.14 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.13 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.12 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.11 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.10 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.9 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.8 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.7 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.6 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.5 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.4 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.3 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.2 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.1 Apache-2.0 19 1970-01-01 - 00:00 over 56 years
3.11.0 Apache-2.0 19 1970-01-01 - 00:00 over 56 years