pkg:PyPI/aiohttp

All known vulnerabilities

• CRITICAL9.1CVE-2026-34520AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
  from 0, < 3.13.4
• HIGH7.5CVE-2026-47265AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
  from 0, < 3.14.0
• HIGH7.5AIOHTTP has a Multipart Header Size Bypass
  from 0, < 3.13.4
• HIGH7.5AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
  from 0, < 3.13.4
• HIGH7.5AIOHTTP vulnerable to denial of service through large payloads
  from 0, < 3.13.3
• HIGH7.5AIOHTTP vulnerable to DoS when bypassing asserts
  from 0, < 3.13.3
• HIGH7.5AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
  from 0, < 3.13.3
• HIGH7.5AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
  from 0, < 3.12.14
• HIGH7.5aiohttp allows request smuggling due to incorrect parsing of chunk extensions
  from 0, < 3.10.11
• HIGH7.5aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method
  >= 3.10.6, < 3.10.11
• HIGH7.5aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
  from 0, < 3.9.4
• HIGH7.2aiohttp's ClientSession is vulnerable to CRLF injection via version
  from 0, < 3.9.0
• HIGH7.2aiohttp's ClientSession is vulnerable to CRLF injection via version
  from 0, < 1e86b777e61cf4eefc7d92fa57fa19dcc676013b | from 0, < 3.9.0
• MEDIUM6.5AIOHTTP's unicode processing of header values could cause parsing discrepancies
  from 0, < 3.13.3
• MEDIUM6.5aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
  from 0, < 3.9.2
• MEDIUM6.5aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
  from 0, < 33ccdfb0a12690af5bb49bda2319ec0907fa7827 | from 0, < 3.9.2
• MEDIUM6.4AIOHTTP is Vulnerable to Deserialization of Untrusted Data
  from 0, < 3.14.0
• MEDIUM6.1aiohttp Cross-site Scripting vulnerability on index pages for static file handling
  from 0, < 3.9.4
• MEDIUM5.9aiohttp is vulnerable to directory traversal
  from 0, < 1c335944d6a8b1298baf179b7c0b3069f10c514b | >= 1.0.5, < 3.9.2
• MEDIUM5.9aiohttp is vulnerable to directory traversal
  >= 1.0.5, < 3.9.2
• MEDIUM5.5Withdrawn: Denial of Service in aiohttp
  from 0
• MEDIUM5.5Withdrawn: Denial of Service in aiohttp
  from 0, <= 3.8.1
• MEDIUM5.3AIOHTTP accepts duplicate Host headers
  from 0, < 3.13.4
• MEDIUM5.3AIOHTTP has HTTP response splitting via \r in reason phrase
  from 0, < 3.13.4
• MEDIUM5.3AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
  from 0, < 3.13.4
• MEDIUM5.3AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
  from 0, < 3.13.4
• MEDIUM5.3AIOHTTP has CRLF injection through multipart part content type header construction
  from 0, < 3.13.4
• MEDIUM5.3AIOHTTP Vulnerable to Cookie Parser Warning Storm
  from 0, < 3.13.3
• MEDIUM5.3AIOHTTP vulnerable to DoS through chunked messages
  from 0, < 3.13.3
• MEDIUM5.3AIOHTTP vulnerable to brute-force leak of internal static file path components
  from 0, < 3.13.3
• MEDIUM5.3AIOHTTP has unicode match groups in regexes for ASCII protocol elements
  from 0, < 3.13.3
• MEDIUM5.3aiohttp's ClientSession is vulnerable to CRLF injection via method
  from 0, < 3.9.0
• MEDIUM5.3aiohttp's ClientSession is vulnerable to CRLF injection via method
  from 0, < e4ae01c2077d2cfa116aa82e4ff6866857f7c466 | from 0, < 3.9.0
• MEDIUM5.3python-aiohttp - security update
  from 0, < d5c12ba890557a575c313bb3017910d7616fce3d | from 0, < 3.8.6
• MEDIUM5.3python-aiohttp - security update
  from 0, < 3.8.6
• MEDIUM5.3aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
  from 0, < 3.8.5
• MEDIUM5.3aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
  from 0, < 3.8.5
• MEDIUM4.8In aiohttp, compressed files as symlinks are not protected from path traversal
  >= 3.10.0b1, < 3.10.2
• LOW3.4Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks
  from 0, < 3.8.0
• LOW3.4Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks
  from 0, < f016f0680e4ace6742b03a70cb0382ce86abe371 | from 0, < 3.8.0
• LOW3.1python-aiohttp - security update
  from 0, < 3.7.4
• LOW3.1python-aiohttp - security update
  from 0, < 2545222a3853e31ace15d87ae0e2effb7da0c96b | from 0, < 3.7.4
• —AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
  from 0, < 3.13.4
• —aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
  from 0, < 3.13.4