Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

aiohttp — Vulnerabilities & Security Advisories 32

All 32 CVE vulnerabilities found in aiohttp, with AI-generated Chinese analysis, references, and POCs.

Vendor: aio-libs

CVE IDTitleCVSSSeverityPublished
CVE-2026-34525 AIOHTTP: Duplicate Host header accepted CWE-20 5.8 -2026-04-01
CVE-2026-34520 AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass CWE-113 9.1 -2026-04-01
CVE-2026-34519 AIOHTTP: HTTP response splitting via \r in reason phrase CWE-113 6.5 -2026-04-01
CVE-2026-34518 AIOHTTP: Cookie and Proxy-Authorization headers leaked on cross-origin redirect CWE-200 4.3 -2026-04-01
CVE-2026-34517 AIOHTTP: Late size enforcement for non-file multipart fields causes memory DoS CWE-770 7.5 -2026-04-01
CVE-2026-34516 AIOHTTP: Multipart Header Size Bypass CWE-770 7.5 -2026-04-01
CVE-2026-34515 AIOHTTP: UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows CWE-36 5.3 -2026-04-01
CVE-2026-34514 AIOHTTP: CRLF injection in multipart part content type header construction CWE-113 6.5 -2026-04-01
CVE-2026-22815 AIOHTTP: Uncapped memory usage possible through aiohttp allowing unlimited trailer headers CWE-400 7.5 -2026-04-01
CVE-2026-34513 AIOHTTP: Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector CWE-770 7.5AIHighAI2026-04-01
CVE-2025-69230 AIOHTTP Vulnerable to Cookie Parser Warning Storm CWE-779--2026-01-05
CVE-2025-69229 AIOHTTP vulnerable to DoS through chunked messages CWE-770 7.5 -2026-01-05
CVE-2025-69228 AIOHTTP vulnerable to denial of service through large payloads CWE-770 7.5 -2026-01-05
CVE-2025-69227 AIOHTTP vulnerable to DoS when bypassing asserts CWE-835 7.5 -2026-01-05
CVE-2025-69225 AIOHTTP Regex Mismatch Allows Unicode in ASCII-Only Protocol Fields CWE-444 7.5 -2026-01-05
CVE-2025-69226 AIOHTTP allows for a brute-force leak of internal static filepath components CWE-22 5.3 -2026-01-05
CVE-2025-69224 AIOHTTP's Unicode processing of header values could cause parsing discrepancies CWE-444 7.5 -2026-01-05
CVE-2025-69223 AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb CWE-409 7.5 High2026-01-05
CVE-2025-53643 AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections CWE-444 9.8 -2025-07-14
CVE-2024-52304 aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions CWE-444 7.5 -2024-11-18
CVE-2024-52303 aiohttp memory leak when middleware is enabled when requesting a resource with a non-allowed method CWE-772 5.9 -2024-11-18
CVE-2024-42367 In aiohttp, compressed files as symlinks are not protected from path traversal CWE-61 4.8 Medium2024-08-09
CVE-2024-30251 Denial of service when trying to parse malformed POST requests in aiohttp CWE-835 7.5 High2024-05-02
CVE-2024-27306 aiohttp vulnerable to XSS on index pages for static file handling CWE-79 6.1 Medium2024-04-18
CVE-2024-23334 aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal CWE-22 5.9 Medium2024-01-29
CVE-2024-23829 aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators CWE-444 6.5 Medium2024-01-29
CVE-2023-49081 aiohttp's ClientSession is vulnerable to CRLF injection via version CWE-20 7.2 High2023-11-30
CVE-2023-49082 aiohttp's ClientSession is vulnerable to CRLF injection via method CWE-93 5.3 Medium2023-11-29
CVE-2023-47627 Request smuggling in aiohttp CWE-444 5.3 Medium2023-11-14
CVE-2023-47641 Inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` in aiohttp CWE-444 3.4 Low2023-11-14

All 32 known CVE vulnerabilities affecting aiohttp with full Chinese analysis, references, and POCs where available.