Security: aio-libs/aiohttp
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Request smuggling due to incorrect parsing of chunk extensionsGHSA-8495-4g3g-x7pr published
Nov 18, 2024 by DreamsorcererLow -
Compressed files as symlinks are not protected from path traversalGHSA-jwhx-xcg6-8xhj published
Aug 9, 2024 by DreamsorcererLow -
aiohttp HTTP Parser auto_decompress feature susceptible to zip bombGHSA-6mq8-rvhq-8wgg published
Jan 5, 2026 by DreamsorcererHigh -
DoS when trying to parse malformed POST requestsGHSA-5m98-qgg9-wh84 published
May 2, 2024 by DreamsorcererHigh -
XSS on index pages for static file handlingGHSA-7gpw-8wmc-pm8g published
Apr 17, 2024 by DreamsorcererLow -
aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversalGHSA-5h86-8mv2-jq9f published
Jan 29, 2024 by DreamsorcererModerate -
HTTP parser (the python one, not llhttp) still overly lenient about separatorsGHSA-8qpw-xqxj-h4r2 published
Jan 29, 2024 by DreamsorcererLow -
ClientSession is vulnerable to CRLF injection via methodGHSA-qvrw-v9rv-5rjx published
Nov 26, 2023 by DreamsorcererLow -
ClientSession is vulnerable to CRLF injection via versionGHSA-q3qx-c6g2-7pw2 published
Nov 26, 2023 by DreamsorcererLow -
Problems in HTTP parser (the python one, not llhttp)GHSA-gfw2-4jvh-wgfg published
Nov 14, 2023 by DreamsorcererModerate