Skip to content

Host-Only Cookies Become Domain Cookies After CookieJar Persistence

Low
Dreamsorcerer published GHSA-2fqr-mr3j-6wp8 Jun 8, 2026

Package

pip aiohttp (pip)

Affected versions

<=3.14.0

Patched versions

3.14.1

Description

Summary

Host-only cookies that are saved with CookieJar.save() and then restored later with CookieJar.load() lose their host-only status.

Impact

Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed.

Patch: a329a7a

Severity

Low

CVE ID

CVE-2026-54279

Weaknesses

No CWEs

Credits