VersionEye 2.0

AIOHTTP has CRLF injection through multipart part content type header construction

Published date: 2026-04-01T21:20:06Z

CVE: CVE-2026-34514

Links:

Summary

An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits.

Impact

If an application allows untrusted data to be used for the multipart content_type parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.

Patch: https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]

Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]

Recommendation: Update to version 3.13.5.

AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

Published date: 2026-04-01T21:47:07Z

CVE: CVE-2026-34517

Links:

Summary

For some multipart form fields, aiohttp read the entire field into memory before checking clientmaxsize.

Impact

If an application uses Request.post() an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.

Patch: https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]

Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]

Recommendation: Update to version 3.13.5.

AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

Published date: 2026-04-01T21:49:06Z

CVE: CVE-2026-34520

Links:

Summary

The C parser (the default for most installs) accepted null bytes and control characters is response headers.

Impact

An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin() may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.

Patch: https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]

Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]

Recommendation: Update to version 3.13.5.

AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect

Published date: 2026-04-01T21:47:46Z

CVE: CVE-2026-34518

Links:

Summary

When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.

Impact

The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.

Patch: https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]

Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]

Recommendation: Update to version 3.13.5.

AIOHTTP accepts duplicate Host headers

Published date: 2026-04-01T21:49:45Z

CVE: CVE-2026-34525

Links:

Summary

Multiple Host headers were allowed in aiohttp.

Impact

Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain().

Patch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349 Patch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]

Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]

Recommendation: Update to version 3.13.5.

AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector

Published date: 2026-04-01T21:19:22Z

CVE: CVE-2026-34513

Links:

Summary

An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.

Impact

If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.

Patch: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]

Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]

Recommendation: Update to version 3.13.5.

AIOHTTP has a Multipart Header Size Bypass

Published date: 2026-04-01T21:43:07Z

CVE: CVE-2026-34516

Links:

Summary

A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.

Impact

Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.

Patch: https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]

Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]

Recommendation: Update to version 3.13.5.

AIOHTTP has HTTP response splitting via \r in reason phrase

Published date: 2026-04-01T21:48:24Z

CVE: CVE-2026-34519

Links:

Summary

An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits.

Impact

In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the response to send something different from what the developer intended.

Patch: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]

Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]

Recommendation: Update to version 3.13.5.

AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows

Published date: 2026-04-01T21:26:36Z

CVE: CVE-2026-34515

Links:

Summary

On Windows the static resource handler may expose information about a NTLMv2 remote path.

Impact

If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.

Patch: https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]

Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]

Recommendation: Update to version 3.13.5.

aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage

Published date: 2026-04-01T19:45:17Z

CVE: CVE-2026-22815

Links:

Summary

Insufficient restrictions in header/trailer handling could cause uncapped memory usage.

Impact

An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.

Patch: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36

Affected versions: ["3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.15", "3.12.14", "3.12.13", "3.12.12", "3.12.11", "3.12.10", "3.12.9", "3.12.8", "3.12.7", "3.12.6", "3.12.4", "3.12.3", "3.12.2", "3.12.1", "3.12.0", "3.12.0rc1", "3.12.0rc0", "3.12.1rc0", "3.12.7rc0", "3.12.0b3", "3.12.0b2", "3.12.0b1", "3.12.0b0", "3.11.18", "3.11.17", "3.11.16", "3.11.15", "3.11.14", "3.11.13", "3.11.12", "3.11.11", "3.11.10", "3.11.9", "3.11.8", "3.11.7", "3.11.6", "3.11.5", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.11.0rc2", "3.11.0rc1", "3.11.0rc0", "3.11.0b5", "3.11.0b4", "3.11.0b3", "3.11.0b2", "3.11.0b1", "3.11.0b0", "3.10.11", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.10.6rc2", "3.10.6rc1", "3.10.0rc0", "3.10.6rc0", "3.10.11rc0", "3.10.0b1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.9.0rc0", "3.9.4rc0", "3.9.0b1", "3.9.0b0", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.8.0b0", "3.8.0a7", "3.7.4", "3.7.4.post0", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.7.0b1", "3.7.0b0", "3.6.3", "3.6.2", "3.6.1", "3.6.0", "3.6.1b4", "3.6.1b3", "3.6.0b0", "3.6.0a12", "3.6.0a11", "3.6.0a9", "3.6.0a8", "3.6.0a7", "3.6.0a6", "3.6.0a5", "3.6.0a4", "3.6.0a3", "3.6.0a2", "3.6.2a2", "3.6.0a1", "3.6.2a1", "3.6.0a0", "3.6.2a0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.5.0b3", "3.5.0b2", "3.5.0b1", "3.5.0a1", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0b2", "3.4.0b1", "3.4.0a3", "3.4.0a0", "3.3.2", "3.3.1", "3.3.0", "3.3.2a0", "3.3.0a0", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.9", "3.0.8", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0b4", "3.0.0b3", "3.0.0b2", "3.0.0b1", "3.0.0b0", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.2b3", "2.3.2b2", "2.3.0a4", "2.3.0a3", "2.3.0a2", "2.3.0a1", "2.3.1a1", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc1", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.5", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.22.5", "0.22.4", "0.22.3", "0.22.2", "0.22.1", "0.22.0", "0.22.0b6", "0.22.0b5", "0.22.0b4", "0.22.0b3", "0.22.0b2", "0.22.0b1", "0.22.0b0", "0.22.0a0", "0.21.6", "0.21.5", "0.21.4", "0.21.2", "0.21.1", "0.21.0", "0.20.2", "0.20.1", "0.20.0", "0.19.0", "0.18.4", "0.18.3", "0.18.2", "0.18.1", "0.18.0", "0.17.4", "0.17.3", "0.17.2", "0.17.1", "0.17.0", "0.16.6", "0.16.5", "0.16.4", "0.16.3", "0.16.2", "0.16.1", "0.16.0", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.14.0", "0.13.1", "0.13.0", "0.12.0", "0.11.0", "0.10.2", "0.10.1", "0.10.0", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.0", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4", "0.3", "0.2", "0.1"]

Secure versions: [3.13.4, 3.13.5, 4.0.0a0, 4.0.0a1]

Recommendation: Update to version 3.13.5.

Version	License	Security	Released
3.2.0	Apache-2.0	32	2018-05-06 - 21:40	about 8 years
3.1.3	Apache-2.0	32	2018-04-13 - 10:48	about 8 years
3.1.2	Apache-2.0	32	2018-04-05 - 21:28	about 8 years
3.1.1	Apache-2.0	32	2018-03-27 - 14:57	about 8 years
3.1.0	Apache-2.0	32	2018-03-21 - 14:57	about 8 years
3.0.9	Apache-2.0	32	2018-03-14 - 13:20	about 8 years
3.0.8	Apache-2.0	32	2018-03-13 - 09:30	about 8 years
3.0.7	Apache-2.0	32	2018-03-08 - 16:54	about 8 years
3.0.6	Apache-2.0	32	2018-03-05 - 00:31	about 8 years
3.0.5	Apache-2.0	32	2018-02-27 - 17:33	about 8 years
3.0.4	Apache-2.0	32	2018-02-26 - 15:11	about 8 years
3.0.3	Apache-2.0	32	2018-02-25 - 16:17	about 8 years
3.0.2	Apache-2.0	32	2018-02-23 - 10:10	about 8 years
3.0.1	Apache-2.0	32	2018-02-12 - 13:05	over 8 years
3.0.0	Apache-2.0	32	2018-02-12 - 10:02	over 8 years
3.0.0b4	Apache-2.0	32	2018-02-09 - 16:15	over 8 years
3.0.0b3	Apache-2.0	32	2018-02-08 - 21:56	over 8 years
3.0.0b2	Apache-2.0	32	2018-02-08 - 16:05	over 8 years
3.0.0b1	Apache-2.0	32	2018-02-08 - 14:53	over 8 years
3.0.0b0	Apache-2.0	32	2018-02-08 - 11:50	over 8 years
2.3.10	Apache-2.0	32	2018-02-02 - 11:16	over 8 years
2.3.9	Apache-2.0	32	2018-01-18 - 01:56	over 8 years
2.3.8	Apache-2.0	32	2018-01-17 - 07:10	over 8 years
2.3.7	Apache-2.0	32	2017-12-27 - 10:01	over 8 years
2.3.6	Apache-2.0	32	2017-12-04 - 18:51	over 8 years
2.3.5	Apache-2.0	32	2017-11-30 - 07:24	over 8 years
2.3.4	Apache-2.0	32	2017-11-29 - 19:50	over 8 years
2.3.3	Apache-2.0	32	2017-11-17 - 11:59	over 8 years
2.3.2	Apache-2.0	32	2017-11-01 - 19:40	over 8 years
2.3.1	Apache-2.0	32	2017-10-19 - 11:39	over 8 years
2.3.0	Apache-2.0	32	2017-10-18 - 07:15	over 8 years
2.3.2b3	Apache-2.0	32	2017-11-01 - 14:07	over 8 years
2.3.2b2	Apache-2.0	32	2017-11-01 - 11:04	over 8 years
2.3.0a4	Apache-2.0	32	2017-10-17 - 20:52	over 8 years
2.3.0a3	Apache-2.0	32	2017-10-17 - 19:31	over 8 years
2.3.0a2	Apache-2.0	32	2017-10-17 - 14:24	over 8 years
2.3.0a1	Apache-2.0	32	2017-10-17 - 10:23	over 8 years
2.3.1a1	Apache-2.0	32	2017-10-18 - 22:12	over 8 years
2.2.5	Apache-2.0	32	2017-08-03 - 14:50	almost 9 years
2.2.4	Apache-2.0	32	2017-08-02 - 19:42	almost 9 years
2.2.3	Apache-2.0	32	2017-07-04 - 15:16	almost 9 years
2.2.2	Apache-2.0	32	2017-07-03 - 08:29	almost 9 years
2.2.1	Apache-2.0	32	2017-07-02 - 18:12	almost 9 years
2.2.0	Apache-2.0	32	2017-06-20 - 11:52	almost 9 years
2.1.0	Apache-2.0	32	2017-05-26 - 14:47	almost 9 years
2.0.7	Apache-2.0	32	2017-04-12 - 22:50	about 9 years
2.0.6	Apache-2.0	32	2017-04-08 - 17:40	about 9 years
2.0.5	Apache-2.0	32	2017-03-29 - 18:19	about 9 years
2.0.4	Apache-2.0	32	2017-03-27 - 19:16	about 9 years
2.0.3	Apache-2.0	32	2017-03-24 - 21:38	about 9 years

Python/aiohttp/3.13.3

10 Security Vulnerabilities

Summary

Impact

Summary

Impact

Summary

Impact

Summary

Impact

Summary

Impact

Summary

Impact

Summary

Impact

Summary

Impact

Summary

Impact

Summary

Impact

308 Other Versions