Package impact

PyPI / aiohttp

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Published	Description	Impact
CVE-2021-21330	low	—	2.5	5y ago	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based…
CVE-2026-34525	unknown	—	—	2mo ago	AIOHTTP accepts duplicate Host headers
CVE-2026-34520	unknown	—	—	2mo ago	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in res…
CVE-2026-34519	unknown	—	—	2mo ago	AIOHTTP has HTTP response splitting via \r in reason phrase
CVE-2026-34518	unknown	—	—	2mo ago	AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
CVE-2026-34517	unknown	—	—	2mo ago	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking clie…
CVE-2026-34516	unknown	—	—	2mo ago	AIOHTTP has a Multipart Header Size Bypass
CVE-2026-34515	unknown	—	—	2mo ago	AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
CVE-2026-34514	unknown	—	—	2mo ago	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra …
CVE-2026-34513	unknown	—	—	2mo ago	AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
CVE-2026-22815	unknown	—	—	2mo ago	aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
CVE-2025-69230	unknown	—	—	5mo ago	AIOHTTP Vulnerable to Cookie Parser Warning Storm
CVE-2025-69229	unknown	—	—	5mo ago	AIOHTTP vulnerable to DoS through chunked messages
CVE-2025-69228	unknown	—	—	5mo ago	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontro…
CVE-2025-69227	unknown	—	—	5mo ago	AIOHTTP vulnerable to DoS when bypassing asserts
CVE-2025-69226	unknown	—	—	5mo ago	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path no…
CVE-2025-69225	unknown	—	—	5mo ago	AIOHTTP has unicode match groups in regexes for ASCII protocol elements
CVE-2025-69224	unknown	—	—	5mo ago	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII…
CVE-2025-69223	unknown	—	—	5mo ago	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be a…
CVE-2025-53643	unknown	—	—	11mo ago	AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
CVE-2024-52304	unknown	—	—	2y ago	aiohttp allows request smuggling due to incorrect parsing of chunk extensions
CVE-2024-52303	unknown	—	—	2y ago	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError…
CVE-2024-42367	unknown	—	—	2y ago	In aiohttp, compressed files as symlinks are not protected from path traversal
CVE-2024-30251	unknown	—	—	2y ago	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp serv…
CVE-2024-27306	unknown	—	—	2y ago	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have alway…
CVE-2024-23334	unknown	—	—	2y ago	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static f…
CVE-2024-23829	unknown	—	—	2y ago	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must tr…
CVE-2023-49081	unknown	—	—	3y ago	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create…
CVE-2023-49082	unknown	—	—	3y ago	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even cre…
CVE-2023-47627	unknown	—	—	3y ago	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parse…
CVE-2023-47641	unknown	—	—	3y ago	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protoc…
CVE-2023-37276	unknown	—	—	3y ago	aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser