Python/aiohttp/3.11.14
Async http client/server framework (asyncio)
https://pypi.org/project/aiohttp
Apache-2.0
19 Security Vulnerabilities
AIOHTTP has CRLF injection through multipart part content type header construction
Published date: 2026-04-01T21:20:06Z
CVE: CVE-2026-34514
Links:
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5
- https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06
- https://github.com/advisories/GHSA-2vrm-gr82-f7m5
- https://nvd.nist.gov/vuln/detail/CVE-2026-34514
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
Summary
An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits.
Impact
If an application allows untrusted data to be used for the multipart content_type parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.
Patch: https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06
Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
Published date: 2026-04-01T21:47:07Z
CVE: CVE-2026-34517
Links:
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-3wq7-rqq7-wx6j
- https://nvd.nist.gov/vuln/detail/CVE-2026-34517
- https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
- https://github.com/advisories/GHSA-3wq7-rqq7-wx6j
Summary
For some multipart form fields, aiohttp read the entire field into memory before checking clientmaxsize.
Impact
If an application uses Request.post() an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.
Patch: https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145
Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP vulnerable to brute-force leak of internal static file path components
Published date: 2026-01-05T23:09:51Z
CVE: CVE-2025-69226
Links:
Summary
Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components.
Impact
If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.
Patch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e
Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
Published date: 2026-04-01T21:49:06Z
CVE: CVE-2026-34520
Links:
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf
- https://nvd.nist.gov/vuln/detail/CVE-2026-34520
- https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
- https://github.com/advisories/GHSA-63hf-3vf5-4wqf
Summary
The C parser (the default for most installs) accepted null bytes and control characters is response headers.
Impact
An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin() may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.
Patch: https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4
Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP's unicode processing of header values could cause parsing discrepancies
Published date: 2026-01-05T22:58:57Z
CVE: CVE-2025-69224
Links:
Summary
The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.
Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTPNOEXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.
Patch: https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0
Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP vulnerable to denial of service through large payloads
Published date: 2026-01-05T23:13:14Z
CVE: CVE-2025-69228
Links:
Summary
A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.
Impact
If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory.
Patch: https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60
Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
Published date: 2026-01-05T22:58:41Z
CVE: CVE-2025-69223
Links:
Summary
A zip bomb can be used to execute a DoS against the aiohttp server.
Impact
An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.
Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
Published date: 2025-07-14T19:33:31Z
CVE: CVE-2025-53643
Links:
Summary
The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.
Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTPNOEXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.
Patch: https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a
Affected versions: ["3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
Published date: 2026-04-01T21:47:46Z
CVE: CVE-2026-34518
Links:
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-966j-vmvw-g2g9
- https://nvd.nist.gov/vuln/detail/CVE-2026-34518
- https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
- https://github.com/advisories/GHSA-966j-vmvw-g2g9
Summary
When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.
Impact
The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.
Patch: https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6
Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP accepts duplicate Host headers
Published date: 2026-04-01T21:49:45Z
CVE: CVE-2026-34525
Links:
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67
- https://nvd.nist.gov/vuln/detail/CVE-2026-34525
- https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000
- https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
- https://github.com/advisories/GHSA-c427-h43c-vf67
Summary
Multiple Host headers were allowed in aiohttp.
Impact
Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain().
Patch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349 Patch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000
Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP Vulnerable to Cookie Parser Warning Storm
Published date: 2026-01-05T23:13:46Z
CVE: CVE-2025-69230
Links:
Summary
Reading multiple invalid cookies can lead to a logging storm.
Impact
If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.
Patch: https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326
Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP vulnerable to DoS through chunked messages
Published date: 2026-01-05T23:13:29Z
CVE: CVE-2025-69229
Links:
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
- https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
- https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
- https://github.com/advisories/GHSA-g84x-mcqj-x9qq
- https://nvd.nist.gov/vuln/detail/CVE-2025-69229
Summary
Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.
Impact
If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.
Patch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712 Patch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
Published date: 2026-04-01T21:19:22Z
CVE: CVE-2026-34513
Links:
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hcc4-c3v8-rx92
- https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98
- https://github.com/advisories/GHSA-hcc4-c3v8-rx92
- https://nvd.nist.gov/vuln/detail/CVE-2026-34513
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
Summary
An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.
Impact
If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.
Patch: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98
Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP vulnerable to DoS when bypassing asserts
Published date: 2026-01-05T23:10:15Z
CVE: CVE-2025-69227
Links:
Summary
When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.
Impact
If optimisations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message.
Patch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259
Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP has a Multipart Header Size Bypass
Published date: 2026-04-01T21:43:07Z
CVE: CVE-2026-34516
Links:
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m5qp-6w8w-w647
- https://nvd.nist.gov/vuln/detail/CVE-2026-34516
- https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
- https://github.com/advisories/GHSA-m5qp-6w8w-w647
Summary
A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.
Impact
Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.
Patch: https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f
Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
Published date: 2026-01-05T23:09:30Z
CVE: CVE-2025-69225
Links:
Summary
The parser allows non-ASCII decimals to be present in the Range header.
Impact
There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.
Patch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96
Affected versions: ["3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP has HTTP response splitting via \r in reason phrase
Published date: 2026-04-01T21:48:24Z
CVE: CVE-2026-34519
Links:
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mwh4-6h8g-pg8w
- https://nvd.nist.gov/vuln/detail/CVE-2026-34519
- https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
- https://github.com/advisories/GHSA-mwh4-6h8g-pg8w
Summary
An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits.
Impact
In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the response to send something different from what the developer intended.
Patch: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b
Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
Published date: 2026-04-01T21:26:36Z
CVE: CVE-2026-34515
Links:
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-p998-jp59-783m
- https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d
- https://github.com/advisories/GHSA-p998-jp59-783m
- https://nvd.nist.gov/vuln/detail/CVE-2026-34515
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
Summary
On Windows the static resource handler may expose information about a NTLMv2 remote path.
Impact
If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.
Patch: https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d
Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
Published date: 2026-04-01T19:45:17Z
CVE: CVE-2026-22815
Links:
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-w2fm-2cpv-w7v5
- https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36
- https://github.com/advisories/GHSA-w2fm-2cpv-w7v5
- https://nvd.nist.gov/vuln/detail/CVE-2026-22815
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
Summary
Insufficient restrictions in header/trailer handling could cause uncapped memory usage.
Impact
An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.
Patch: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36
Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]
Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]
Recommendation: Update to version 3.13.5.
308 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.4.4 | BSD | 31 | 2013-11-15 - 20:00 | over 12 years |
| 0.4.3 | BSD | 31 | 2013-11-15 - 18:09 | over 12 years |
| 0.4.2 | BSD | 31 | 2013-11-14 - 21:53 | over 12 years |
| 0.4.1 | BSD | 31 | 2013-11-12 - 19:34 | over 12 years |
| 0.4 | BSD | 31 | 2013-11-07 - 05:43 | over 12 years |
| 0.3 | BSD | 31 | 2013-11-04 - 19:01 | over 12 years |
| 0.2 | BSD | 31 | 2013-10-25 - 18:27 | over 12 years |
| 0.1 | BSD | 31 | 2013-10-25 - 18:17 | over 12 years |