pkg:PyPI/aiohttp

40 total CVEsCRITICAL1HIGH11MEDIUM22LOW4

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.1CVE-2026-34520AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
    from 0, < 3.13.4
  • HIGH7.5CVE-2026-34516AIOHTTP has a Multipart Header Size Bypass
    from 0, < 3.13.4
  • HIGH7.5CVE-2026-34513AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
    from 0, < 3.13.4
  • HIGH7.5CVE-2025-69228AIOHTTP vulnerable to denial of service through large payloads
    from 0, < 3.13.3
  • HIGH7.5CVE-2025-69227AIOHTTP vulnerable to DoS when bypassing asserts
    from 0, < 3.13.3
  • HIGH7.5CVE-2025-69223AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
    from 0, < 3.13.3
  • HIGH7.5CVE-2025-53643AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
    from 0, < 3.12.14
  • HIGH7.5CVE-2024-52304aiohttp allows request smuggling due to incorrect parsing of chunk extensions
    from 0, < 3.10.11
  • HIGH7.5CVE-2024-52303aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method
    >= 3.10.6, < 3.10.11
  • HIGH7.5CVE-2024-30251aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
    from 0, < 3.9.4
  • HIGH7.2CVE-2023-49081aiohttp's ClientSession is vulnerable to CRLF injection via version
    from 0, < 3.9.0
  • HIGH7.2CVE-2023-49081aiohttp's ClientSession is vulnerable to CRLF injection via version
    from 0, < 1e86b777e61cf4eefc7d92fa57fa19dcc676013b | from 0, < 3.9.0
  • MEDIUM6.5CVE-2025-69224AIOHTTP's unicode processing of header values could cause parsing discrepancies
    from 0, < 3.13.3
  • MEDIUM6.5CVE-2024-23829aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
    from 0, < 3.9.2
  • MEDIUM6.5CVE-2024-23829aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
    from 0, < 33ccdfb0a12690af5bb49bda2319ec0907fa7827 | from 0, < 3.9.2
  • MEDIUM6.1CVE-2024-27306aiohttp Cross-site Scripting vulnerability on index pages for static file handling
    from 0, < 3.9.4
  • MEDIUM5.9CVE-2024-23334aiohttp is vulnerable to directory traversal
    from 0, < 1c335944d6a8b1298baf179b7c0b3069f10c514b | >= 1.0.5, < 3.9.2
  • MEDIUM5.9CVE-2024-23334aiohttp is vulnerable to directory traversal
    >= 1.0.5, < 3.9.2
  • MEDIUM5.3CVE-2026-34525AIOHTTP accepts duplicate Host headers
    from 0, < 3.13.4
  • MEDIUM5.3CVE-2026-34519AIOHTTP has HTTP response splitting via \r in reason phrase
    from 0, < 3.13.4
  • MEDIUM5.3CVE-2026-34518AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
    from 0, < 3.13.4
  • MEDIUM5.3CVE-2026-34517AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
    from 0, < 3.13.4
  • MEDIUM5.3CVE-2026-34514AIOHTTP has CRLF injection through multipart part content type header construction
    from 0, < 3.13.4
  • MEDIUM5.3CVE-2025-69230AIOHTTP Vulnerable to Cookie Parser Warning Storm
    from 0, < 3.13.3
  • MEDIUM5.3CVE-2025-69229AIOHTTP vulnerable to DoS through chunked messages
    from 0, < 3.13.3
  • MEDIUM5.3CVE-2025-69226AIOHTTP vulnerable to brute-force leak of internal static file path components
    from 0, < 3.13.3
  • MEDIUM5.3CVE-2025-69225AIOHTTP has unicode match groups in regexes for ASCII protocol elements
    from 0, < 3.13.3
  • MEDIUM5.3CVE-2023-49082aiohttp's ClientSession is vulnerable to CRLF injection via method
    from 0, < 3.9.0
  • MEDIUM5.3CVE-2023-49082aiohttp's ClientSession is vulnerable to CRLF injection via method
    from 0, < e4ae01c2077d2cfa116aa82e4ff6866857f7c466 | from 0, < 3.9.0
  • MEDIUM5.3CVE-2023-47627python-aiohttp - security update
    from 0, < d5c12ba890557a575c313bb3017910d7616fce3d | from 0, < 3.8.6
  • MEDIUM5.3CVE-2023-47627python-aiohttp - security update
    from 0, < 3.8.6
  • MEDIUM5.3CVE-2023-37276aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
    from 0, < 3.8.5
  • MEDIUM5.3CVE-2023-37276aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
    from 0, < 3.8.5
  • MEDIUM4.8CVE-2024-42367In aiohttp, compressed files as symlinks are not protected from path traversal
    >= 3.10.0b1, < 3.10.2
  • LOW3.4CVE-2023-47641Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks
    from 0, < 3.8.0
  • LOW3.4CVE-2023-47641Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks
    from 0, < f016f0680e4ace6742b03a70cb0382ce86abe371 | from 0, < 3.8.0
  • LOW3.1CVE-2021-21330`aiohttp` Open Redirect vulnerability (`normalize_path_middleware` middleware)
    from 0, < 3.7.4
  • LOW3.1CVE-2021-21330`aiohttp` Open Redirect vulnerability (`normalize_path_middleware` middleware)
    from 0, < 2545222a3853e31ace15d87ae0e2effb7da0c96b | from 0, < 3.7.4
  • CVE-2026-34515AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
    from 0, < 3.13.4
  • CVE-2026-22815aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
    from 0, < 3.13.4