Security: aio-libs/aiohttp
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Duplicate Host header acceptedGHSA-c427-h43c-vf67 published
Apr 1, 2026 by DreamsorcererLow -
C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypassGHSA-63hf-3vf5-4wqf published
Apr 1, 2026 by DreamsorcererLow -
HTTP response splitting via \r in reason phraseGHSA-mwh4-6h8g-pg8w published
Apr 1, 2026 by DreamsorcererLow -
Cookie and Proxy-Authorization headers leaked on cross-origin redirectGHSA-966j-vmvw-g2g9 published
Apr 1, 2026 by DreamsorcererLow -
Late size enforcement for non-file multipart fields causes memory DoSGHSA-3wq7-rqq7-wx6j published
Mar 31, 2026 by DreamsorcererModerate -
Multipart Header Size BypassGHSA-m5qp-6w8w-w647 published
Mar 31, 2026 by DreamsorcererLow -
UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on WindowsGHSA-p998-jp59-783m published
Mar 31, 2026 by DreamsorcererLow -
CRLF injection in multipart part content type header constructionGHSA-2vrm-gr82-f7m5 published
Mar 31, 2026 by DreamsorcererLow -
Denial of Service (DoS) via Unbounded DNS Cache in TCPConnectorGHSA-hcc4-c3v8-rx92 published
Mar 31, 2026 by DreamsorcererLow -
Uncapped memory usage possible via headers/trailersGHSA-w2fm-2cpv-w7v5 published
Mar 31, 2026 by DreamsorcererModerate