{"info": {"author": "Nikolay Kim", "author_email": "fafhrd91@gmail.com", "bugtrack_url": null, "classifiers": ["Development Status :: 5 - Production/Stable", "Framework :: AsyncIO", "Intended Audience :: Developers", "License :: OSI Approved :: Apache Software License", "Operating System :: MacOS :: MacOS X", "Operating System :: Microsoft :: Windows", "Operating System :: POSIX", "Programming Language :: Python", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Topic :: Internet :: WWW/HTTP"], "description": "==================================\nAsync http client/server framework\n==================================\n\n.. image:: https://raw.githubusercontent.com/aio-libs/aiohttp/master/docs/_static/aiohttp-icon-128x128.png\n :height: 64px\n :width: 64px\n :alt: aiohttp logo\n\n|\n\n.. image:: https://travis-ci.com/aio-libs/aiohttp.svg?branch=master\n :target: https://travis-ci.com/aio-libs/aiohttp\n :align: right\n :alt: Travis status for master branch\n\n.. image:: https://codecov.io/gh/aio-libs/aiohttp/branch/master/graph/badge.svg\n :target: https://codecov.io/gh/aio-libs/aiohttp\n :alt: codecov.io status for master branch\n\n.. image:: https://badge.fury.io/py/aiohttp.svg\n :target: https://pypi.org/project/aiohttp\n :alt: Latest PyPI package version\n\n.. image:: https://readthedocs.org/projects/aiohttp/badge/?version=latest\n :target: http://docs.aiohttp.org/\n :alt: Latest Read The Docs\n\n.. image:: https://badges.gitter.im/Join%20Chat.svg\n :target: https://gitter.im/aio-libs/Lobby\n :alt: Chat on Gitter\n\nKey Features\n============\n\n- Supports both client and server side of HTTP protocol.\n- Supports both client and server Web-Sockets out-of-the-box without the\n Callback Hell.\n- Web-server has middlewares and pluggable routing.\n\n\nGetting started\n===============\n\nClient\n------\n\nTo retrieve something from the web:\n\n.. code-block:: python\n\n import aiohttp\n import asyncio\n\n async def fetch(session, url):\n async with session.get(url) as response:\n return await response.text()\n\n async def main():\n async with aiohttp.ClientSession() as session:\n html = await fetch(session, 'http://python.org')\n print(html)\n\n if __name__ == '__main__':\n loop = asyncio.get_event_loop()\n loop.run_until_complete(main())\n\n\nServer\n------\n\nThis is simple usage example:\n\n.. code-block:: python\n\n from aiohttp import web\n\n async def handle(request):\n name = request.match_info.get('name', \"Anonymous\")\n text = \"Hello, \" + name\n return web.Response(text=text)\n\n async def wshandle(request):\n ws = web.WebSocketResponse()\n await ws.prepare(request)\n\n async for msg in ws:\n if msg.type == web.WSMsgType.text:\n await ws.send_str(\"Hello, {}\".format(msg.data))\n elif msg.type == web.WSMsgType.binary:\n await ws.send_bytes(msg.data)\n elif msg.type == web.WSMsgType.close:\n break\n\n return ws\n\n\n app = web.Application()\n app.add_routes([web.get('/', handle),\n web.get('/echo', wshandle),\n web.get('/{name}', handle)])\n\n web.run_app(app)\n\n\nDocumentation\n=============\n\nhttps://aiohttp.readthedocs.io/\n\n\nDemos\n=====\n\nhttps://github.com/aio-libs/aiohttp-demos\n\n\nExternal links\n==============\n\n* `Third party libraries\n `_\n* `Built with aiohttp\n `_\n* `Powered by aiohttp\n `_\n\nFeel free to make a Pull Request for adding your link to these pages!\n\n\nCommunication channels\n======================\n\n*aio-libs* google group: https://groups.google.com/forum/#!forum/aio-libs\n\nFeel free to post your questions and ideas here.\n\n*gitter chat* https://gitter.im/aio-libs/Lobby\n\nWe support `Stack Overflow\n`_.\nPlease add *aiohttp* tag to your question there.\n\nRequirements\n============\n\n- Python >= 3.5.3\n- async-timeout_\n- attrs_\n- chardet_\n- multidict_\n- yarl_\n\nOptionally you may install the cChardet_ and aiodns_ libraries (highly\nrecommended for sake of speed).\n\n.. _chardet: https://pypi.python.org/pypi/chardet\n.. _aiodns: https://pypi.python.org/pypi/aiodns\n.. _attrs: https://github.com/python-attrs/attrs\n.. _multidict: https://pypi.python.org/pypi/multidict\n.. _yarl: https://pypi.python.org/pypi/yarl\n.. _async-timeout: https://pypi.python.org/pypi/async_timeout\n.. _cChardet: https://pypi.python.org/pypi/cchardet\n\nLicense\n=======\n\n``aiohttp`` is offered under the Apache 2 license.\n\n\nKeepsafe\n========\n\nThe aiohttp community would like to thank Keepsafe\n(https://www.getkeepsafe.com) for it's support in the early days of\nthe project.\n\n\nSource code\n===========\n\nThe latest developer version is available in a github repository:\nhttps://github.com/aio-libs/aiohttp\n\nBenchmarks\n==========\n\nIf you are interested in by efficiency, AsyncIO community maintains a\nlist of benchmarks on the official wiki:\nhttps://github.com/python/asyncio/wiki/Benchmarks\n\n=========\nChangelog\n=========\n\n..\n You should *NOT* be adding new change log entries to this file, this\n file is managed by towncrier. You *may* edit previous change logs to\n fix problems like typo corrections or such.\n To add a new change log entry, please see\n https://pip.pypa.io/en/latest/development/#adding-a-news-entry\n we named the news folder \"changes\".\n\n WARNING: Don't drop the next directive!\n\n.. towncrier release notes start\n\n3.3.2 (2018-06-12)\n==================\n\n- Many HTTP proxies has buggy keepalive support. Let's not reuse connection but\n close it after processing every response. (`#3070 `_)\n\n- Provide vendor source files in tarball (`#3076 `_)\n\n\n3.3.1 (2018-06-05)\n==================\n\n- Fix ``sock_read`` timeout. (`#3053 `_)\n- When using a server-request body as the ``data=`` argument of a client request,\n iterate over the content with ``readany`` instead of ``readline`` to avoid ``Line\n too long`` errors. (`#3054 `_)\n\n\n3.3.0 (2018-06-01)\n==================\n\nFeatures\n--------\n\n- Raise ``ConnectionResetError`` instead of ``CancelledError`` on trying to\n write to a closed stream. (`#2499 `_)\n- Implement ``ClientTimeout`` class and support socket read timeout. (`#2768 `_)\n- Enable logging when ``aiohttp.web`` is used as a program (`#2956 `_)\n- Add canonical property to resources (`#2968 `_)\n- Forbid reading response BODY after release (`#2983 `_)\n- Implement base protocol class to avoid a dependency from internal\n ``asyncio.streams.FlowControlMixin`` (`#2986 `_)\n- Cythonize ``@helpers.reify``, 5% boost on macro benchmark (`#2995 `_)\n- Optimize HTTP parser (`#3015 `_)\n- Implement ``runner.addresses`` property. (`#3036 `_)\n- Use ``bytearray`` instead of a list of ``bytes`` in websocket reader. It\n improves websocket message reading a little. (`#3039 `_)\n- Remove heartbeat on closing connection on keepalive timeout. The used hack\n violates HTTP protocol. (`#3041 `_)\n- Limit websocket message size on reading to 4 MB by default. (`#3045 `_)\n\n\nBugfixes\n--------\n\n- Don't reuse a connection with the same URL but different proxy/TLS settings\n (`#2981 `_)\n- When parsing the Forwarded header, the optional port number is now preserved.\n (`#3009 `_)\n\n\nImproved Documentation\n----------------------\n\n- Make Change Log more visible in docs (`#3029 `_)\n- Make style and grammar improvements on the FAQ page. (`#3030 `_)\n- Document that signal handlers should be async functions since aiohttp 3.0\n (`#3032 `_)\n\n\nDeprecations and Removals\n-------------------------\n\n- Deprecate custom application's router. (`#3021 `_)\n\n\nMisc\n----\n\n- #3008, #3011\n\n", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": {"last_day": -1, "last_month": -1, "last_week": -1}, "dynamic": null, "home_page": "https://github.com/aio-libs/aiohttp", "keywords": "", "license": "Apache 2", "license_expression": null, "license_files": null, "maintainer": "Nikolay Kim , Andrew Svetlov ", "maintainer_email": "aio-libs@googlegroups.com", "name": "aiohttp", "package_url": "https://pypi.org/project/aiohttp/", "platform": "", "project_url": "https://pypi.org/project/aiohttp/", "project_urls": {"CI: AppVeyor": "https://ci.appveyor.com/project/asvetlov/aiohttp", "CI: Circle": "https://circleci.com/gh/aio-libs/aiohttp", "CI: Shippable": "https://app.shippable.com/github/aio-libs/aiohttp", "CI: Travis": "https://travis-ci.com/aio-libs/aiohttp", "Chat: Gitter": "https://gitter.im/aio-libs/Lobby", "Coverage: codecov": "https://codecov.io/github/aio-libs/aiohttp", "Docs: RTD": "https://docs.aiohttp.org", "GitHub: issues": "https://github.com/aio-libs/aiohttp/issues", "GitHub: repo": "https://github.com/aio-libs/aiohttp", "Homepage": "https://github.com/aio-libs/aiohttp"}, "provides_extra": null, "release_url": "https://pypi.org/project/aiohttp/3.3.2/", "requires_dist": ["attrs (>=17.3.0)", "chardet (<4.0,>=2.0)", "multidict (<5.0,>=4.0)", "async-timeout (<4.0,>=3.0)", "yarl (<2.0,>=1.0)", "idna-ssl (>=1.0)"], "requires_python": ">=3.5.3", "summary": "Async http client/server framework (asyncio)", "version": "3.3.2", "yanked": false, "yanked_reason": null}, "last_serial": 35674693, "ownership": {"organization": "aio-libs", "roles": [{"role": "Maintainer", "user": "Andrew.Svetlov"}, {"role": "Maintainer", "user": "Dreamsorcerer"}, {"role": "Maintainer", "user": "bdraco"}, {"role": "Maintainer", "user": "fafhrd"}, {"role": "Maintainer", "user": "webknjaz"}]}, "urls": [{"comment_text": "", "digests": {"blake2b_256": "726a5bbf3544fe8de525f4521506b372dc9c3b13070fe34e911c976aa95631d7", "md5": "dfaadf259d1f677a286d203e9470d2a0", "sha256": "f20deec7a3fbaec7b5eb7ad99878427ad2ee4cc16a46732b705e8121cbb3cc12"}, "downloads": -1, "filename": "aiohttp-3.3.2.tar.gz", "has_sig": false, "md5_digest": "dfaadf259d1f677a286d203e9470d2a0", "packagetype": "sdist", "python_version": "source", "requires_python": ">=3.5.3", "size": 771414, "upload_time": "2018-06-12T13:56:50", "upload_time_iso_8601": "2018-06-12T13:56:50.007839Z", "url": "https://fixtures.pulpproject.org/python-pypi/packages/aiohttp-3.3.2.tar.gz", "yanked": false, "yanked_reason": null}], "vulnerabilities": [{"aliases": ["CVE-2021-21330", "GHSA-v6wp-4m6f-gcjg"], "details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows \"pip install aiohttp >= 3.7.4\". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.", "fixed_in": ["3.7.4"], "id": "PYSEC-2021-76", "link": "https://osv.dev/vulnerability/PYSEC-2021-76", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2021-21330", "PYSEC-2021-76"], "details": "### Impact\n\nOpen redirect vulnerability \u2014 a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.\n\nIt is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware.\n\n### Patches\n\nThis security problem has been fixed in v3.7.4. Upgrade your dependency as follows:\n[`pip install aiohttp >= 3.7.4`]\n\n### Workarounds\n\nIf upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.\n\n### References\n\n* [aiohttp @ PyPI]\n* [GHSA-v6wp-4m6f-gcjg]\n* [OWASP page on open redirects]\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in the [aiohttp repo](https://github.com/aio-libs/aiohttp/issues/new/choose)\n* Email us at wk+aio-libs-security@sydorenko.org.ua and/or andrew.svetlov+aio-libs-security@gmail.com\n\nCredit: [Jelmer Vernoo\u0133] and [Beast Glatisant].\n\n[aiohttp @ PyPI]: https://pypi.org/p/aiohttp\n[`pip install aiohttp >= 3.7.4`]: https://pypi.org/project/aiohttp/3.7.4/\n[GHSA-v6wp-4m6f-gcjg]: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg\n[OWASP page on open redirects]:\nhttps://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html\n\n[Jelmer Vernoo\u0133]: https://jelmer.uk\n[Beast Glatisant]: https://github.com/g147", "fixed_in": ["3.7.4"], "id": "GHSA-v6wp-4m6f-gcjg", "link": "https://osv.dev/vulnerability/GHSA-v6wp-4m6f-gcjg", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2026-34515"], "details": "### Summary\n\nOn Windows the static resource handler may expose information about a NTLMv2 remote path.\n\n### Impact\n\nIf an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d", "fixed_in": ["3.13.4"], "id": "GHSA-p998-jp59-783m", "link": "https://osv.dev/vulnerability/GHSA-p998-jp59-783m", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2026-34513"], "details": "### Summary\n\nAn unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.\n\n### Impact\n\nIf an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98", "fixed_in": ["3.13.4"], "id": "GHSA-hcc4-c3v8-rx92", "link": "https://osv.dev/vulnerability/GHSA-hcc4-c3v8-rx92", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2026-34516"], "details": "### Summary\n\nA response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.\n\n### Impact\n\nMultipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f", "fixed_in": ["3.13.4"], "id": "GHSA-m5qp-6w8w-w647", "link": "https://osv.dev/vulnerability/GHSA-m5qp-6w8w-w647", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2024-23334", "GHSA-5h86-8mv2-jq9f"], "details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.", "fixed_in": ["3.9.2"], "id": "PYSEC-2024-24", "link": "https://osv.dev/vulnerability/PYSEC-2024-24", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2023-37276"], "details": "### Impact\n\naiohttp v3.8.4 and earlier are [bundled with llhttp v6.0.6](https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules) which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.\n\nThis vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`).\n\n### Reproducer\n\n```python\nfrom aiohttp import web\n\nasync def example(request: web.Request):\n headers = dict(request.headers)\n body = await request.content.read()\n return web.Response(text=f\"headers: {headers} body: {body}\")\n\napp = web.Application()\napp.add_routes([web.post('/', example)])\nweb.run_app(app)\n```\n\nSending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.\n\n```console\n$ printf \"POST / HTTP/1.1\\r\\nHost: localhost:8080\\r\\nX-Abc: \\rxTransfer-Encoding: chunked\\r\\n\\r\\n1\\r\\nA\\r\\n0\\r\\n\\r\\n\" \\\n | nc localhost 8080\n\nExpected output:\n headers: {'Host': 'localhost:8080', 'X-Abc': '\\rxTransfer-Encoding: chunked'} body: b''\n\nActual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently)\n headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A'\n```\n\n### Patches\n\nUpgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: [`pip install aiohttp >= 3.8.5`](https://pypi.org/project/aiohttp/3.8.5/)\n\n### Workarounds\n\nIf you aren't able to upgrade you can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling:\n\n```console\n$ python -m pip uninstall --yes aiohttp\n$ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp\n```\n\n### References\n\n* https://nvd.nist.gov/vuln/detail/CVE-2023-30589\n* https://hackerone.com/reports/2001873\n", "fixed_in": ["3.8.5"], "id": "GHSA-45c4-8wx5-qw6w", "link": "https://osv.dev/vulnerability/GHSA-45c4-8wx5-qw6w", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["GHSA-45c4-8wx5-qw6w", "CVE-2023-37276"], "details": "### Impact\n\naiohttp v3.8.4 and earlier are [bundled with llhttp v6.0.6](https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules) which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.\n\nThis vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`).\n\n### Reproducer\n\n```python\nfrom aiohttp import web\n\nasync def example(request: web.Request):\n headers = dict(request.headers)\n body = await request.content.read()\n return web.Response(text=f\"headers: {headers} body: {body}\")\n\napp = web.Application()\napp.add_routes([web.post('/', example)])\nweb.run_app(app)\n```\n\nSending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.\n\n```console\n$ printf \"POST / HTTP/1.1\\r\\nHost: localhost:8080\\r\\nX-Abc: \\rxTransfer-Encoding: chunked\\r\\n\\r\\n1\\r\\nA\\r\\n0\\r\\n\\r\\n\" \\\n | nc localhost 8080\n\nExpected output:\n headers: {'Host': 'localhost:8080', 'X-Abc': '\\rxTransfer-Encoding: chunked'} body: b''\n\nActual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently)\n headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A'\n```\n\n### Patches\n\nUpgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: [`pip install aiohttp >= 3.8.5`](https://pypi.org/project/aiohttp/3.8.5/)\n\n### Workarounds\n\nIf you aren't able to upgrade you can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling:\n\n```console\n$ python -m pip uninstall --yes aiohttp\n$ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp\n```\n\n### References\n\n* https://nvd.nist.gov/vuln/detail/CVE-2023-30589\n* https://hackerone.com/reports/2001873\n", "fixed_in": ["3.8.5"], "id": "PYSEC-2023-120", "link": "https://osv.dev/vulnerability/PYSEC-2023-120", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2023-49081", "GHSA-q3qx-c6g2-7pw2"], "details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.", "fixed_in": ["3.9.0"], "id": "PYSEC-2023-250", "link": "https://osv.dev/vulnerability/PYSEC-2023-250", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2023-49082", "GHSA-qvrw-v9rv-5rjx"], "details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.", "fixed_in": ["3.9.0"], "id": "PYSEC-2023-251", "link": "https://osv.dev/vulnerability/PYSEC-2023-251", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2024-23334", "PYSEC-2024-24"], "details": "### Summary\nImproperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.\n\n### Details\nWhen using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.\n\ni.e. An application is only vulnerable with setup code like:\n```\napp.router.add_routes([\n web.static(\"/static\", \"static/\", follow_symlinks=True), # Remove follow_symlinks to avoid the vulnerability\n])\n```\n\n### Impact\nThis is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with `follow_symlinks` set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of the `follow_symlinks` parameter.\n\n### Workaround\nEven if upgrading to a patched version of aiohttp, we recommend following these steps regardless.\n\nIf using `follow_symlinks=True` outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location _within_ the static root directory, it is _only_ intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.\n\nAdditionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and _not_ to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8079/files", "fixed_in": ["3.9.2"], "id": "GHSA-5h86-8mv2-jq9f", "link": "https://osv.dev/vulnerability/GHSA-5h86-8mv2-jq9f", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2024-23829", "PYSEC-2024-26"], "details": "### Summary\nSecurity-sensitive parts of the *Python HTTP parser* retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.\n\n### Details\nThese problems are rooted in pattern matching protocol elements, previously improved by PR #3235 and GHSA-gfw2-4jvh-wgfg:\n\n1. The expression `HTTP/(\\d).(\\d)` lacked another backslash to clarify that the separator should be a literal dot, not just *any* Unicode code point (result: `HTTP/(\\d)\\.(\\d)`).\n\n2. The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.\n\n3. Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 `token`.\n\n### PoC\n`GET / HTTP/1\u00f61`\n`GET / HTTP/1.\ud835\udfd9`\n`GET/: HTTP/1.1`\n`Content-Encoding?: chunked`\n\n### Impact\nPrimarily concerns running an aiohttp server without llhttp:\n 1. **behind a proxy**: Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling.\n 2. **directly accessible** or exposed behind proxies relaying malformed input: the unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8074/files", "fixed_in": ["3.9.2"], "id": "GHSA-8qpw-xqxj-h4r2", "link": "https://osv.dev/vulnerability/GHSA-8qpw-xqxj-h4r2", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2023-47641"], "details": "### Impact\n\nAiohttp has a security vulnerability regarding the inconsistent interpretation of the http protocol. As we know that HTTP/1.1 is persistent, if we have both Content-Length(CL) and Transfer-Encoding(TE) it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation.\n\nA possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. I can give a Dockerfile with the configuration if you want.\n\nThe impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect (just like CVE-2021-21330) we can combine it to redirect random users to our website and log the request.\n\n\n### References\n\n- https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371", "fixed_in": ["3.8.0"], "id": "GHSA-xx9p-xxvh-7g8j", "link": "https://osv.dev/vulnerability/GHSA-xx9p-xxvh-7g8j", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2023-47627", "PYSEC-2023-246"], "details": "# Summary\nThe HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling.\nThis parser is only used when `AIOHTTP_NO_EXTENSIONS` is enabled (or not using a prebuilt wheel).\n \n# Details\n\n## Bug 1: Bad parsing of `Content-Length` values\n\n### Description\nRFC 9110 says this:\n> `Content-Length = 1*DIGIT`\n\nAIOHTTP does not enforce this rule, presumably because of an incorrect usage of the builtin `int` constructor. Because the `int` constructor accepts `+` and `-` prefixes, and digit-separating underscores, using `int` to parse CL values leads AIOHTTP to significant misinterpretation.\n\n### Examples\n```\nGET / HTTP/1.1\\r\\n\nContent-Length: -0\\r\\n\n\\r\\n\nX\n```\n```\nGET / HTTP/1.1\\r\\n\nContent-Length: +0_1\\r\\n\n\\r\\n\nX\n```\n\n### Suggested action\nVerify that a `Content-Length` value consists only of ASCII digits before parsing, as the standard requires.\n\n## Bug 2: Improper handling of NUL, CR, and LF in header values\n\n### Description\nRFC 9110 says this:\n> Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters; a recipient of CR, LF, or NUL within a field value MUST either reject the message or replace each of those characters with SP before further processing or forwarding of that message.\n\nAIOHTTP's HTTP parser does not enforce this rule, and will happily process header values containing these three forbidden characters without replacing them with SP.\n### Examples\n```\nGET / HTTP/1.1\\r\\n\nHeader: v\\x00alue\\r\\n\n\\r\\n\n```\n```\nGET / HTTP/1.1\\r\\n\nHeader: v\\ralue\\r\\n\n\\r\\n\n```\n```\nGET / HTTP/1.1\\r\\n\nHeader: v\\nalue\\r\\n\n\\r\\n\n```\n### Suggested action\nReject all messages with NUL, CR, or LF in a header value. The translation to space thing, while technically allowed, does not seem like a good idea to me.\n\n## Bug 3: Improper stripping of whitespace before colon in HTTP headers\n\n### Description\nRFC 9112 says this:\n> No whitespace is allowed between the field name and colon. In the past, differences in the handling of such whitespace have led to security vulnerabilities in request routing and response handling. A server MUST reject, with a response status code of 400 (Bad Request), any received request message that contains whitespace between a header field name and colon.\n\nAIOHTTP does not enforce this rule, and will simply strip any whitespace before the colon in an HTTP header.\n\n### Example\n```\nGET / HTTP/1.1\\r\\n\nContent-Length : 1\\r\\n\n\\r\\n\nX\n```\n\n### Suggested action\nReject all messages with whitespace before a colon in a header field, as the standard requires.\n\n# PoC\nExample requests are embedded in the previous section. To reproduce these bugs, start an AIOHTTP server without llhttp (i.e. `AIOHTTP_NO_EXTENSIONS=1`) and send the requests given in the previous section. (e.g. by `printf`ing into `nc`)\n\n# Impact\nEach of these bugs can be used for request smuggling.", "fixed_in": ["3.8.6"], "id": "GHSA-gfw2-4jvh-wgfg", "link": "https://osv.dev/vulnerability/GHSA-gfw2-4jvh-wgfg", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2023-47627", "GHSA-gfw2-4jvh-wgfg"], "details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.", "fixed_in": ["3.8.6"], "id": "PYSEC-2023-246", "link": "https://osv.dev/vulnerability/PYSEC-2023-246", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2023-47641", "GHSA-xx9p-xxvh-7g8j"], "details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "fixed_in": ["3.8.0"], "id": "PYSEC-2023-247", "link": "https://osv.dev/vulnerability/PYSEC-2023-247", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2023-49082", "PYSEC-2023-251"], "details": "### Summary\nImproper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.\n\n### Details\nThe vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.\n\nPrevious releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.\n\n### PoC\nA minimal example can be found here:\nhttps://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b\n\n### Impact\nIf the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).\n\n### Workaround\nIf unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).\n\nPatch: https://github.com/aio-libs/aiohttp/pull/7806/files", "fixed_in": ["3.9.0"], "id": "GHSA-qvrw-v9rv-5rjx", "link": "https://osv.dev/vulnerability/GHSA-qvrw-v9rv-5rjx", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2023-49081", "PYSEC-2023-250"], "details": "### Summary\nImproper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version.\n\n### Details\nThe vulnerability only occurs if the attacker can control the HTTP version of the request (including its type).\nFor example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the `version` parameter.\nFurthermore, the vulnerability only occurs when the `Connection` header is passed to the `headers` parameter.\n\nAt this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection.\n\n### PoC\nThe POC below shows an example of providing an unvalidated array as a version:\nhttps://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e\n\n### Impact\nCRLF injection leading to Request Smuggling.\n\n### Workaround\nIf these specific conditions are met and you are unable to upgrade, then validate the user input to the `version` parameter to ensure it is a `str`.\n\nPatch: https://github.com/aio-libs/aiohttp/pull/7835/files", "fixed_in": ["3.9.0"], "id": "GHSA-q3qx-c6g2-7pw2", "link": "https://osv.dev/vulnerability/GHSA-q3qx-c6g2-7pw2", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": [], "details": "### Summary\nllhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities.\nDetails have not been disclosed yet, so refer to llhttp for future information.\nThe issue is resolved by using llhttp 9+ (which is included in aiohttp 3.8.6+).", "fixed_in": ["3.8.6"], "id": "GHSA-pjjw-qhg8-p2p9", "link": "https://osv.dev/vulnerability/GHSA-pjjw-qhg8-p2p9", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2026-34517"], "details": "### Summary\n\nFor some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.\n\n### Impact\n\nIf an application uses `Request.post()` an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145", "fixed_in": ["3.13.4"], "id": "GHSA-3wq7-rqq7-wx6j", "link": "https://osv.dev/vulnerability/GHSA-3wq7-rqq7-wx6j", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2024-23829", "GHSA-8qpw-xqxj-h4r2"], "details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.", "fixed_in": ["3.9.2"], "id": "PYSEC-2024-26", "link": "https://osv.dev/vulnerability/PYSEC-2024-26", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2026-34519"], "details": "### Summary\n\nAn attacker who controls the `reason` parameter when creating a `Response` may be able to inject extra headers or similar exploits.\n\n### Impact\n\nIn the unlikely situation that an application allows untrusted data to be used in the response's `reason` parameter, then an attacker could manipulate the response to send something different from what the developer intended.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b", "fixed_in": ["3.13.4"], "id": "GHSA-mwh4-6h8g-pg8w", "link": "https://osv.dev/vulnerability/GHSA-mwh4-6h8g-pg8w", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2026-34518"], "details": "### Summary\n\nWhen following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.\n\n### Impact\n\nThe Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6", "fixed_in": ["3.13.4"], "id": "GHSA-966j-vmvw-g2g9", "link": "https://osv.dev/vulnerability/GHSA-966j-vmvw-g2g9", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2026-34520"], "details": "### Summary\n\nThe C parser (the default for most installs) accepted null bytes and control characters is response headers.\n\n### Impact\n\nAn attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, `request.url.origin()` may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4", "fixed_in": ["3.13.4"], "id": "GHSA-63hf-3vf5-4wqf", "link": "https://osv.dev/vulnerability/GHSA-63hf-3vf5-4wqf", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2024-27306"], "details": "### Summary\n\nA XSS vulnerability exists on index pages for static file handling.\n\n### Details\n\nWhen using `web.static(..., show_index=True)`, the resulting index pages do not escape file names.\n\nIf users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.\n\n### Workaround\n\nWe have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.\n\nOther users can disable `show_index` if unable to upgrade.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8319/files", "fixed_in": ["3.9.4"], "id": "GHSA-7gpw-8wmc-pm8g", "link": "https://osv.dev/vulnerability/GHSA-7gpw-8wmc-pm8g", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2024-30251"], "details": "### Summary\nAn attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.\n\n### Impact\nAn attacker can stop the application from serving requests after sending a single request.\n\n-------\n\nFor anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in `_read_chunk_from_length()`):\n\n```diff\ndiff --git a/aiohttp/multipart.py b/aiohttp/multipart.py\nindex 227be605c..71fc2654a 100644\n--- a/aiohttp/multipart.py\n+++ b/aiohttp/multipart.py\n@@ -338,6 +338,8 @@ class BodyPartReader:\n assert self._length is not None, \"Content-Length required for chunked read\"\n chunk_size = min(size, self._length - self._read_bytes)\n chunk = await self._content.read(chunk_size)\n+ if self._content.at_eof():\n+ self._at_eof = True\n return chunk\n \n async def _read_chunk_from_stream(self, size: int) -> bytes:\n```\n\nThis does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:\nhttps://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19\nhttps://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597\nhttps://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866", "fixed_in": ["3.9.4"], "id": "GHSA-5m98-qgg9-wh84", "link": "https://osv.dev/vulnerability/GHSA-5m98-qgg9-wh84", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2026-34525"], "details": "### Summary\n\nMultiple Host headers were allowed in aiohttp.\n\n### Impact\n\nMostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using `Application.add_domain()`.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349\nPatch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000", "fixed_in": ["3.13.4"], "id": "GHSA-c427-h43c-vf67", "link": "https://osv.dev/vulnerability/GHSA-c427-h43c-vf67", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2024-52304"], "details": "### Summary\nThe Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.\n\n### Impact\nIf a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71", "fixed_in": ["3.10.11"], "id": "GHSA-8495-4g3g-x7pr", "link": "https://osv.dev/vulnerability/GHSA-8495-4g3g-x7pr", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2025-53643"], "details": "### Summary\nThe Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.\n\n### Impact\nIf a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a", "fixed_in": ["3.12.14"], "id": "GHSA-9548-qrrj-x5pj", "link": "https://osv.dev/vulnerability/GHSA-9548-qrrj-x5pj", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2025-69223"], "details": "### Summary\nA zip bomb can be used to execute a DoS against the aiohttp server.\n\n### Impact\nAn attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a", "fixed_in": ["3.13.3"], "id": "GHSA-6mq8-rvhq-8wgg", "link": "https://osv.dev/vulnerability/GHSA-6mq8-rvhq-8wgg", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2025-69224"], "details": "### Summary\nThe Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.\n\n### Impact\nIf a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0", "fixed_in": ["3.13.3"], "id": "GHSA-69f9-5gxw-wvc2", "link": "https://osv.dev/vulnerability/GHSA-69f9-5gxw-wvc2", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2025-69228"], "details": "### Summary\nA request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.\n\n### Impact\nIf an application includes a handler that uses the `Request.post()` method, an attacker may be able to freeze the server by exhausting the memory.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60", "fixed_in": ["3.13.3"], "id": "GHSA-6jhg-hg63-jvvf", "link": "https://osv.dev/vulnerability/GHSA-6jhg-hg63-jvvf", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2025-69229"], "details": "### Summary\n\nHandling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.\n\n### Impact\n\nIf an application makes use of the `request.read()` method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712\nPatch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229", "fixed_in": ["3.13.3"], "id": "GHSA-g84x-mcqj-x9qq", "link": "https://osv.dev/vulnerability/GHSA-g84x-mcqj-x9qq", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2025-69230"], "details": "### Summary\nReading multiple invalid cookies can lead to a logging storm.\n\n### Impact\nIf the ``cookies`` attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326", "fixed_in": ["3.13.3"], "id": "GHSA-fh55-r93g-j68g", "link": "https://osv.dev/vulnerability/GHSA-fh55-r93g-j68g", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2025-69226"], "details": "### Summary\nPath normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the\nexistence of absolute path components.\n\n### Impact\nIf an application uses `web.static()` (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e", "fixed_in": ["3.13.3"], "id": "GHSA-54jq-c3m8-4m76", "link": "https://osv.dev/vulnerability/GHSA-54jq-c3m8-4m76", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2025-69227"], "details": "### Summary\nWhen assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.\n\n### Impact\nIf optimisations are enabled (`-O` or `PYTHONOPTIMIZE=1`), and the application includes a handler that uses the `Request.post()` method, then an attacker may be able to execute a DoS attack with a specially crafted message.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259", "fixed_in": ["3.13.3"], "id": "GHSA-jj3x-wxrx-4x23", "link": "https://osv.dev/vulnerability/GHSA-jj3x-wxrx-4x23", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2025-69225"], "details": "### Summary\n\nThe parser allows non-ASCII decimals to be present in the Range header.\n\n### Impact\n\nThere is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96", "fixed_in": ["3.13.3"], "id": "GHSA-mqqc-3gqh-h2x8", "link": "https://osv.dev/vulnerability/GHSA-mqqc-3gqh-h2x8", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2026-22815"], "details": "### Summary\n\nInsufficient restrictions in header/trailer handling could cause uncapped memory usage.\n\n### Impact\n\nAn application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36", "fixed_in": ["3.13.4"], "id": "GHSA-w2fm-2cpv-w7v5", "link": "https://osv.dev/vulnerability/GHSA-w2fm-2cpv-w7v5", "source": "osv", "summary": null, "withdrawn": null}, {"aliases": ["CVE-2026-34514"], "details": "### Summary\n\nAn attacker who controls the `content_type` parameter in aiohttp could use this to inject extra headers or similar exploits.\n\n### Impact\n\nIf an application allows untrusted data to be used for the multipart `content_type` parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06", "fixed_in": ["3.13.4"], "id": "GHSA-2vrm-gr82-f7m5", "link": "https://osv.dev/vulnerability/GHSA-2vrm-gr82-f7m5", "source": "osv", "summary": null, "withdrawn": null}], "releases": {"3.2.1": [{"comment_text": "", "digests": {"blake2b_256": "81fa8915137ac0603112bbb63489de90a75c69da8a138594eb6a24cb8afb14df", "md5": "323488a14b46ba289415eb290088f8fe", "sha256": "1b95d53f8dac13898f0a3e4af76f6f36d540fbfaefc4f4c9f43e436fa0e53d22"}, "downloads": -1, "filename": "aiohttp-3.2.1.tar.gz", "has_sig": false, "md5_digest": "323488a14b46ba289415eb290088f8fe", "packagetype": "sdist", "python_version": "source", "requires_python": ">=3.5.3", "size": 720223, "upload_time": "2018-05-10T08:52:30", "upload_time_iso_8601": "2018-05-10T08:52:30.398098Z", "url": "https://fixtures.pulpproject.org/python-pypi/packages/aiohttp-3.2.1.tar.gz", "yanked": false, "yanked_reason": null}], "3.3.1": [{"comment_text": "", "digests": {"blake2b_256": "1561e527f5094e5717d31ab2a92135e67e131659068626d426b95244e9c3aa8d", "md5": "9a58ffe9ae0b37428dd99dd55bb69820", "sha256": "16ac24a3278375d277dacf992ac07084865c3aad3e625fc5be693c4b7e7f550d"}, "downloads": -1, "filename": "aiohttp-3.3.1.tar.gz", "has_sig": false, "md5_digest": "9a58ffe9ae0b37428dd99dd55bb69820", "packagetype": "sdist", "python_version": "source", "requires_python": ">=3.5.3", "size": 723180, "upload_time": "2018-06-05T19:49:30", "upload_time_iso_8601": "2018-06-05T19:49:30.690448Z", "url": "https://fixtures.pulpproject.org/python-pypi/packages/aiohttp-3.3.1.tar.gz", "yanked": false, "yanked_reason": null}], "3.3.0a0": [{"comment_text": "", "digests": {"blake2b_256": "e0ca1804e24313a80445efad9c7ead32774934b5fd6c2d5c16723d2701c47f35", "md5": "44a31cf126a932a741a6dc4fc35e0712", "sha256": "4351d6b9df5a6e389208f665e8c4c5db7ade7b06f564b3e7bee6cf713628c1b5"}, "downloads": -1, "filename": "aiohttp-3.3.0a0.tar.gz", "has_sig": false, "md5_digest": "44a31cf126a932a741a6dc4fc35e0712", "packagetype": "sdist", "python_version": "source", "requires_python": ">=3.5.3", "size": 722805, "upload_time": "2018-06-02T10:14:05", "upload_time_iso_8601": "2018-06-02T10:14:05.605277Z", "url": "https://fixtures.pulpproject.org/python-pypi/packages/aiohttp-3.3.0a0.tar.gz", "yanked": false, "yanked_reason": null}], "3.3.2a0": [{"comment_text": "", "digests": {"blake2b_256": "314cddc159ef34701882d0dad1b2c48df8b83d728fc73f378b5a7de8681b6662", "md5": "70e331ccfa4e208eb37c7f9f17592a4f", "sha256": "d14043ba802ec3614f401348eae6cce31f790c68cbf21f8b8d15eb8ac9c2a63a"}, "downloads": -1, "filename": "aiohttp-3.3.2a0.tar.gz", "has_sig": false, "md5_digest": "70e331ccfa4e208eb37c7f9f17592a4f", "packagetype": "sdist", "python_version": "source", "requires_python": ">=3.5.3", "size": 771435, "upload_time": "2018-06-12T12:31:38", "upload_time_iso_8601": "2018-06-12T12:31:38.716833Z", "url": "https://fixtures.pulpproject.org/python-pypi/packages/aiohttp-3.3.2a0.tar.gz", "yanked": false, "yanked_reason": null}], "3.3.0": [{"comment_text": "", "digests": {"blake2b_256": "bfafa6f68012ff76916902fda95ca6ec1150386aa6c998eaefca7d5fbc2e8a92", "md5": "20ecf6ec314b035d6306c6155413cf07", "sha256": "3128d3ef7b575dbb272cdacd4d4c9a7cf67b18899e96260d55ae3a5782d886e7"}, "downloads": -1, "filename": "aiohttp-3.3.0.tar.gz", "has_sig": false, "md5_digest": "20ecf6ec314b035d6306c6155413cf07", "packagetype": "sdist", "python_version": "source", "requires_python": ">=3.5.3", "size": 722307, "upload_time": "2018-06-01T07:16:34", "upload_time_iso_8601": "2018-06-01T07:16:34.596525Z", "url": "https://fixtures.pulpproject.org/python-pypi/packages/aiohttp-3.3.0.tar.gz", "yanked": false, "yanked_reason": null}], "3.2.0": [{"comment_text": "", "digests": {"blake2b_256": "0e1bfd86244ef0c1c6c18581a7cbd37535f8a59054e73fbd52227c37b1c5a0d4", "md5": "e4c6e2e429e4abd07f1d156879b19825", "sha256": "1be3903fe6a36d20492e74efb326522dd4702bf32b45ffc7acbc0fb34ab240a6"}, "downloads": -1, "filename": "aiohttp-3.2.0.tar.gz", "has_sig": false, "md5_digest": "e4c6e2e429e4abd07f1d156879b19825", "packagetype": "sdist", "python_version": "source", "requires_python": ">=3.5.3", "size": 719685, "upload_time": "2018-05-06T21:03:54", "upload_time_iso_8601": "2018-05-06T21:03:54.792611Z", "url": "https://fixtures.pulpproject.org/python-pypi/packages/aiohttp-3.2.0.tar.gz", "yanked": false, "yanked_reason": null}], "3.3.2": [{"comment_text": "", "digests": {"blake2b_256": "726a5bbf3544fe8de525f4521506b372dc9c3b13070fe34e911c976aa95631d7", "md5": "dfaadf259d1f677a286d203e9470d2a0", "sha256": "f20deec7a3fbaec7b5eb7ad99878427ad2ee4cc16a46732b705e8121cbb3cc12"}, "downloads": -1, "filename": "aiohttp-3.3.2.tar.gz", "has_sig": false, "md5_digest": "dfaadf259d1f677a286d203e9470d2a0", "packagetype": "sdist", "python_version": "source", "requires_python": ">=3.5.3", "size": 771414, "upload_time": "2018-06-12T13:56:50", "upload_time_iso_8601": "2018-06-12T13:56:50.007839Z", "url": "https://fixtures.pulpproject.org/python-pypi/packages/aiohttp-3.3.2.tar.gz", "yanked": false, "yanked_reason": null}]}}