Update dependency aiohttp to v3.14.1 [SECURITY]#701
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
added
dependencies
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #701 +/- ##
=======================================
Coverage 94.39% 94.39%
=======================================
Files 9 9
Lines 874 874
Branches 121 121
=======================================
Hits 825 825
Misses 22 22
Partials 27 27 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
e089b6c to
f67babe
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
f67babe to
95fec08
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
95fec08 to
48a285c
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
48a285c to
750eec7
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
2 times, most recently
from
750eec7 to
515b70c
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
7508f37 to
515b70c
Compare
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
2 times, most recently
from
7508f37 to
d222dbf
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
2 times, most recently
from
d222dbf to
a4e6fc7
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.12.13→3.14.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
CVE-2025-53643 / GHSA-9548-qrrj-x5pj
More information
Details
Summary
The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.
Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.
Patch: aio-libs/aiohttp@e8d774f
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
CVE-2025-69223 / GHSA-6mq8-rvhq-8wgg
More information
Details
Summary
A zip bomb can be used to execute a DoS against the aiohttp server.
Impact
An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.
Patch: aio-libs/aiohttp@2b920c3
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP's unicode processing of header values could cause parsing discrepancies
CVE-2025-69224 / GHSA-69f9-5gxw-wvc2
More information
Details
Summary
The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.
Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.
Patch: aio-libs/aiohttp@32677f2
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP vulnerable to brute-force leak of internal static file path components
CVE-2025-69226 / GHSA-54jq-c3m8-4m76
More information
Details
Summary
Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the
existence of absolute path components.
Impact
If an application uses
web.static()(not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.Patch: aio-libs/aiohttp@f2a86fd
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
CVE-2025-69225 / GHSA-mqqc-3gqh-h2x8
More information
Details
Summary
The parser allows non-ASCII decimals to be present in the Range header.
Impact
There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.
Patch: aio-libs/aiohttp@c7b7a04
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP vulnerable to DoS when bypassing asserts
CVE-2025-69227 / GHSA-jj3x-wxrx-4x23
More information
Details
Summary
When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.
Impact
If optimisations are enabled (
-OorPYTHONOPTIMIZE=1), and the application includes a handler that uses theRequest.post()method, then an attacker may be able to execute a DoS attack with a specially crafted message.Patch: aio-libs/aiohttp@bc1319e
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP vulnerable to denial of service through large payloads
CVE-2025-69228 / GHSA-6jhg-hg63-jvvf
More information
Details
Summary
A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.
Impact
If an application includes a handler that uses the
Request.post()method, an attacker may be able to freeze the server by exhausting the memory.Patch: aio-libs/aiohttp@b7dbd35
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP vulnerable to DoS through chunked messages
CVE-2025-69229 / GHSA-g84x-mcqj-x9qq
More information
Details
Summary
Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.
Impact
If an application makes use of the
request.read()method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.Patch: aio-libs/aiohttp@dc3170b
Patch: aio-libs/aiohttp@4ed97a4
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP Vulnerable to Cookie Parser Warning Storm
CVE-2025-69230 / GHSA-fh55-r93g-j68g
More information
Details
Summary
Reading multiple invalid cookies can lead to a logging storm.
Impact
If the
cookiesattribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.Patch: aio-libs/aiohttp@64629a0
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
CVE-2026-22815 / GHSA-w2fm-2cpv-w7v5
More information
Details
Summary
Insufficient restrictions in header/trailer handling could cause uncapped memory usage.
Impact
An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.
Patch: aio-libs/aiohttp@0c2e9da
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
CVE-2026-34513 / GHSA-hcc4-c3v8-rx92
More information
Details
Summary
An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.
Impact
If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.
Patch: aio-libs/aiohttp@c4d77c3
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has CRLF injection through multipart part content type header construction
CVE-2026-34514 / GHSA-2vrm-gr82-f7m5
More information
Details
Summary
An attacker who controls the
content_typeparameter in aiohttp could use this to inject extra headers or similar exploits.Impact
If an application allows untrusted data to be used for the multipart
content_typeparameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.Patch: aio-libs/aiohttp@9a6ada9
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
CVE-2026-34515 / GHSA-p998-jp59-783m
More information
Details
Summary
On Windows the static resource handler may expose information about a NTLMv2 remote path.
Impact
If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.
Patch: aio-libs/aiohttp@0ae2aa0
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has a Multipart Header Size Bypass
CVE-2026-34516 / GHSA-m5qp-6w8w-w647
More information
Details
Summary
A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.
Impact
Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.
Patch: aio-libs/aiohttp@8a74257
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
CVE-2026-34517 / GHSA-3wq7-rqq7-wx6j
More information
Details
Summary
For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.
Impact
If an application uses
Request.post()an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.Patch: aio-libs/aiohttp@cbb774f
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
CVE-2026-34518 / GHSA-966j-vmvw-g2g9
More information
Details
Summary
When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.
Impact
The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.
Patch: aio-libs/aiohttp@5351c98
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has HTTP response splitting via \r in reason phrase
CVE-2026-34519 / GHSA-mwh4-6h8g-pg8w
More information
Details
Summary
An attacker who controls the
reasonparameter when creating aResponsemay be able to inject extra headers or similar exploits.Impact
In the unlikely situation that an application allows untrusted data to be used in the response's
reasonparameter, then an attacker could manipulate the response to send something different from what the developer intended.Patch: aio-libs/aiohttp@53b35a2
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
CVE-2026-34520 / GHSA-63hf-3vf5-4wqf
More information
Details
Summary
The C parser (the default for most installs) accepted null bytes and control characters is response headers.
Impact
An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example,
request.url.origin()may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.Patch: aio-libs/aiohttp@9370b97
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP accepts duplicate Host headers
CVE-2026-34525 / GHSA-c427-h43c-vf67
More information
Details
Summary
Multiple Host headers were allowed in aiohttp.
Impact
Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using
Application.add_domain().Patch: aio-libs/aiohttp@e00ca3c
Patch: aio-libs/aiohttp@53e2e6f
Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
CVE-2026-34993 / GHSA-jg22-mg44-37j8
More information
Details
Summary
Using
CookieJar.load()with untrusted input may allow arbitrary code execution.Impact
Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.
Workaround
If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading.
Patch: aio-libs/aiohttp@dcf40f3
Severity
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
CVE-2026-47265 / GHSA-hg6j-4rv6-33pg
More information
Details
Summary
Cookies set with the
cookiesparameter on requests are sent after following a cross-origin redirect.Impact
If a developer uses the
cookiesparameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect.Workaround
If unable to upgrade, using a
Cookieheader in theheadersparameter is not vulnerable.Patch: aio-libs/aiohttp@f54c408
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: CRLF injection in multipart headers
CVE-2026-50269 / GHSA-m6qw-4cw2-hm4m
More information
Details
Summary
Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar.
Impact
In the unlikely situation that an application is passing user-controlled strings into
MultipartWriter.append(headers=...)orPayload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request.Workaround
Sanitise such user input.
Patch: aio-libs/aiohttp@bf88077
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
CVE-2026-54279 / GHSA-2fqr-mr3j-6wp8
More information
Details
Summary
Host-only cookies that are saved with
CookieJar.save()and then restored later withCookieJar.load()lose their host-only status.Impact
Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed.
Patch: aio-libs/aiohttp@a329a7a
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup
CVE-2026-54278 / GHSA-g3cq-j2xw-wf74
More information
Details
Summary
During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk.
Impact
An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case).
Workaround
Disable compression if unable to upgrade.
Patch: aio-libs/aiohttp@4f7480e
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: HTTP/1 Pipelined Requests Queue Without Limit
CVE-2026-54273 / GHSA-4fvr-rgm6-gqmc
More information
Details
Summary
No limit was present on the number of pipelined requests that could be queued.
Impact
An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS.
Patch: aio-libs/aiohttp@dfdfa9d
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect
CVE-2026-54280 / GHSA-9x8q-7h8h-wcw9
More information
Details
Summary
Payload resources are not closed correctly when a client disconnects in the middle of a write.
Impact
If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file.
Patch: aio-libs/aiohttp@a762eda
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines
CVE-2026-54277 / GHSA-63hw-fmq6-xxg2
More information
Details
Summary
It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser.
Impact
If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS.
Patch: aio-libs/aiohttp@5ab61bb
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
CVE-2026-54276 / GHSA-hpj7-wq8m-9hgp
More information
Details
Summary
DigestAuthMiddlewarecan send an authentication response after following a cross-origin redirect.Impact
If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest.
This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse.
Workaround
Disable
follow_redirectsif this is a concern.Patch: aio-libs/aiohttp@38d1606
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: Incomplete websocket frame payloads bypass memory limits
CVE-2026-54274 / GHSA-xcgm-r5h9-7989
More information
Details
Summary
If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use.
Impact
If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive memory use.
Patch: aio-libs/aiohttp@14b6ee8
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
CVE-2026-54275 / GHSA-4m7w-qmgq-4wj5
More information
Details
Summary
The
server_hostnameTLS SNI check can be bypassed when an existing connection is reused.Impact
If an application makes multiple requests to the same domain, but with different per-request
server_hostnameparameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check.Workaround
Disable keep_alive if you need to change the
server_hostnamecheck between requests.Patch: aio-libs/aiohttp@0ca2b6c
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
aio-libs/aiohttp (aiohttp)
v3.14.1Compare Source
===================
Bug fixes
Fixed a race condition in :py:class:
~aiohttp.TCPConnectorwhere closing the connector while a DNS resolution was in-flight could raise :py:exc:AttributeErrorinstead of :py:exc:~aiohttp.ClientConnectionError-- by :user:goingforstudying-ctrl.Related issues and pull requests on GitHub:
:issue:
12497.Fixed
CancelledErrornot closing a connection -- by :user:aiolibsbot.Related issues and pull requests on GitHub:
:issue:
12795.Tightened up some websocket parser checks -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
12817.Fixed :class:
~aiohttp.CookieJardropping the host-only flag of cookies when persisted with :meth:~aiohttp.CookieJar.saveand reloaded with :meth:~aiohttp.CookieJar.load, so a cookie set without aDomainattribute is again scoped to the exact host that set it after a reload; the absolute expiration deadline is now persisted as well, so a reloaded cookie keeps its original lifetime instead of being rescheduled from the load time. :meth:~aiohttp.CookieJar.loadnow replaces the jar contents rather than merging onto prior state, and loaded cookies pass through the same acceptance rules as :meth:~aiohttp.CookieJar.update_cookies, so a cookie for an IP-address host is dropped when loaded into a jar created withoutunsafe=True-- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12824.Scoped :class:
~aiohttp.DigestAuthMiddlewarecredentials to the origin of the first request it handles, so a redirect to a different origin no longer triggers a digest response computed from the configured credentials; a challenge from another origin is only answered when that origin falls within a protection space advertised by the anchor origin through the RFC 7616domaindirective -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12825.Fixed the C HTTP parser not enforcing
max_line_sizeon a request target or response reason phrase that is split across multiple reads; each fragment was checked on its own, so an accumulated line could exceed the limit without raisingLineTooLong. The accumulated length is now checked, matching the pure-Python parser -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12826.Changed :class:
~aiohttp.TCPConnectorto reject legacy non-canonical numeric IPv4 host forms such as2130706433,017700000001and127.1with :exc:~aiohttp.InvalidUrlClientError; only canonical dotted-quad IPv4 literals are now treated as IP address literals, while every other host is sent through the configured resolver -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12827.Fixed :meth:
~aiohttp.StreamReader.readanyand :meth:~aiohttp.StreamReader.read_nowaitjoining data fed back into the buffer during the call (when draining below the low water mark resumes reading) into a single unbounded :class:bytes; a call now returns only the chunks that were buffered when it started, keeping the drain of an unread auto-decompressed request body bounded by the read buffer -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12828.Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests buffered per connection on the server; once the queue reaches an internal limit the parser stops emitting and the transport is paused, resuming as the request handler drains the queue, so a client keeping one handler busy can no longer accumulate an unbounded backlog of pipelined requests -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
12830.Fixed :meth:
aiohttp.web.Response.write_eofskippingPayload.close()when the body write was interrupted by an error or cancellation, for example when a client disconnects mid-response; the payload close hook now runs in afinallyso a :class:~aiohttp.payload.Payloadbody always releases its resources -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12831.Fixed the pure-Python HTTP parser not enforcing
max_line_sizeon a chunk-size line when the whole line arrived in a single read; the limit was only applied to chunk-size metadata split across reads. The complete-line case is now checked too, matching the split-line behavior -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12832.Included the per-request
server_hostnameoverride in the :class:~aiohttp.TCPConnectorconnection pool key, so a pooled TLS connection is no longer reused for a request that setsserver_hostnameto a different value -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12835.v3.14.0: 3.14.0Compare Source
We have a new website! https://aio-libs.org
Subscribe to the news feed to find out more about what we're working on in future.
Features
Added
RequestKeyandResponseKeyclasses,which enable static type checking for request & response
context storages in the same way that
AppKeydoes forApplication-- by :user:
gsoldatov.Related issues and pull requests on GitHub:
Configuration
📅 Schedule: (in timezone America/Chicago)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.