Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

aiohttp — Vulnerabilities & Security Advisories 34

All 34 CVE vulnerabilities found in aiohttp, with AI-generated Chinese analysis, references, and POCs.

This page aggregates Common Weakness Enumeration (CWE) vulnerability data specifically for the aiohttp Python library, provided by the aiohttp development team. It collects a comprehensive range of security issues affecting this asynchronous HTTP client and server framework, covering the entire period from its initial public release up to the present day. The data includes issues ranging from low-severity logic flaws to critical remote code execution vulnerabilities, ensuring a complete historical record of security posture. Here, users can track a vendor's security advisories to stay updated on patches and mitigation strategies. Researchers and developers can understand a specific weakness class by analyzing how it manifests in asynchronous web applications and how aiohttp has historically addressed such patterns. Furthermore, one can look up a product's vulnerability history to assess the long-term reliability of the library and understand the evolution of its security controls over time. This resource is designed to support informed decision-making for system architects, security analysts, and application developers who rely on aiohttp for building scalable network services. By centralizing this information, the page facilitates easier risk assessment and compliance auditing for organizations using this widely adopted Python package. The content is structured to allow for quick identification of past incidents and their resolution status, providing transparency into the project's security maintenance practices without overwhelming the reader with raw data dumps.

Vendor: aio-libs

CVE IDTitleCVSSSeverityPublished
CVE-2026-47265 AIOHTTP vulnerable to cross-origin redirect with per-request cookies CWE-346--2026-06-02
CVE-2026-34993 AIOHTTP Vulnerable to Deserialization of Untrusted Data CWE-502 6.4 Medium2026-06-02
CVE-2026-34525 AIOHTTP: Duplicate Host header accepted CWE-20 5.8 -2026-04-01
CVE-2026-34520 AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass CWE-113 9.1 -2026-04-01
CVE-2026-34519 AIOHTTP: HTTP response splitting via \r in reason phrase CWE-113 6.5 -2026-04-01
CVE-2026-34518 AIOHTTP: Cookie and Proxy-Authorization headers leaked on cross-origin redirect CWE-200 4.3 -2026-04-01
CVE-2026-34517 AIOHTTP: Late size enforcement for non-file multipart fields causes memory DoS CWE-770 7.5 -2026-04-01
CVE-2026-34516 AIOHTTP: Multipart Header Size Bypass CWE-770 7.5 -2026-04-01
CVE-2026-34515 AIOHTTP: UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows CWE-36 5.3 -2026-04-01
CVE-2026-34514 AIOHTTP: CRLF injection in multipart part content type header construction CWE-113 6.5 -2026-04-01
CVE-2026-22815 AIOHTTP: Uncapped memory usage possible through aiohttp allowing unlimited trailer headers CWE-400 7.5 -2026-04-01
CVE-2026-34513 AIOHTTP: Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector CWE-770 7.5AIHighAI2026-04-01
CVE-2025-69230 AIOHTTP Vulnerable to Cookie Parser Warning Storm CWE-779--2026-01-05
CVE-2025-69229 AIOHTTP vulnerable to DoS through chunked messages CWE-770 7.5 -2026-01-05
CVE-2025-69228 AIOHTTP vulnerable to denial of service through large payloads CWE-770 7.5 -2026-01-05
CVE-2025-69227 AIOHTTP vulnerable to DoS when bypassing asserts CWE-835 7.5 -2026-01-05
CVE-2025-69225 AIOHTTP Regex Mismatch Allows Unicode in ASCII-Only Protocol Fields CWE-444 7.5 -2026-01-05
CVE-2025-69226 AIOHTTP allows for a brute-force leak of internal static filepath components CWE-22 5.3 -2026-01-05
CVE-2025-69224 AIOHTTP's Unicode processing of header values could cause parsing discrepancies CWE-444 7.5 -2026-01-05
CVE-2025-69223 AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb CWE-409 7.5 High2026-01-05
CVE-2025-53643 AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections CWE-444 9.8 -2025-07-14
CVE-2024-52304 aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions CWE-444 7.5 -2024-11-18
CVE-2024-52303 aiohttp memory leak when middleware is enabled when requesting a resource with a non-allowed method CWE-772 5.9 -2024-11-18
CVE-2024-42367 In aiohttp, compressed files as symlinks are not protected from path traversal CWE-61 4.8 Medium2024-08-09
CVE-2024-30251 Denial of service when trying to parse malformed POST requests in aiohttp CWE-835 7.5 High2024-05-02
CVE-2024-27306 aiohttp vulnerable to XSS on index pages for static file handling CWE-79 6.1 Medium2024-04-18
CVE-2024-23334 aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal CWE-22 5.9 Medium2024-01-29
CVE-2024-23829 aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators CWE-444 6.5 Medium2024-01-29
CVE-2023-49081 aiohttp's ClientSession is vulnerable to CRLF injection via version CWE-20 7.2 High2023-11-30
CVE-2023-49082 aiohttp's ClientSession is vulnerable to CRLF injection via method CWE-93 5.3 Medium2023-11-29

All 34 known CVE vulnerabilities affecting aiohttp with full Chinese analysis, references, and POCs where available.