Security Advisories · aio-libs/aiohttp · GitHub

Security Advisories

View known security vulnerabilities and report new vulnerabilities privately to maintainers.

Report a vulnerability

Incomplete websocket frame payloads bypass memory limits
GHSA-xcgm-r5h9-7989 published Jun 8, 2026 by Dreamsorcerer

Moderate
TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
GHSA-4m7w-qmgq-4wj5 published Jun 8, 2026 by Dreamsorcerer

Low
Payload Response Resources Are Not Closed After Mid-Body Disconnect
GHSA-9x8q-7h8h-wcw9 published Jun 8, 2026 by Dreamsorcerer

Low
HTTP/1 Pipelined Requests Queue Without Limit
GHSA-4fvr-rgm6-gqmc published Jun 8, 2026 by Dreamsorcerer

Low
Unread Compressed Request Bodies Bypass client_max_size During Cleanup
GHSA-g3cq-j2xw-wf74 published Jun 8, 2026 by Dreamsorcerer

Moderate
C HTTP Parser Bypasses max_line_size for Fragmented Lines
GHSA-63hw-fmq6-xxg2 published Jun 8, 2026 by Dreamsorcerer

Moderate
DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
GHSA-hpj7-wq8m-9hgp published Jun 8, 2026 by Dreamsorcerer

Low
Host-Only Cookies Become Domain Cookies After CookieJar Persistence
GHSA-2fqr-mr3j-6wp8 published Jun 8, 2026 by Dreamsorcerer

Low
CRLF injection in multipart headers
GHSA-m6qw-4cw2-hm4m published Jun 4, 2026 by Dreamsorcerer

Low
Cross-origin redirect with per-request cookies
GHSA-hg6j-4rv6-33pg published Jun 2, 2026 by Dreamsorcerer

Low

⚡