Plattform
python
Komponente
aiohttp
Behoben in
3.13.5
3.13.4
CVE-2026-34519 describes a response header injection vulnerability discovered in aiohttp, a Python 3.6+ HTTP client/server framework. An attacker who can influence the reason parameter when constructing an HTTP response could potentially inject arbitrary headers, leading to unexpected behavior. This vulnerability affects versions of aiohttp up to and including 3.9.5, and a fix is available in version 3.13.4.
The impact of CVE-2026-34519 hinges on whether an application allows untrusted data to be used in the response's reason parameter. If an application does, an attacker could manipulate the response headers to send something different from what the developer intended. This could involve injecting malicious headers that redirect users to phishing sites, modify content security policies, or otherwise alter the behavior of the application. While the vulnerability is rated as LOW severity, the potential for subtle manipulation of responses could lead to user confusion or, in more complex scenarios, compromise application security. The blast radius is limited to users interacting with the affected application’s responses.
CVE-2026-34519 was publicly disclosed on 2026-04-01. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. Given the LOW CVSS score and lack of public exploits, the probability of active exploitation is considered low.
Applications built using aiohttp versions 3.9.5 and earlier are at risk. This includes web applications, APIs, and microservices that rely on aiohttp for handling HTTP requests and responses. Specifically, applications that allow users to directly influence the content of HTTP responses are particularly vulnerable.
• python / server:
import aiohttp
# Check aiohttp version
import aiohttp
print(aiohttp.__version__)
# Inspect code for usage of aiohttp.Response with user-controlled 'reason'
# Look for code patterns like:
# response = aiohttp.Response(status=200, reason=user_input)disclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-34519 is to upgrade to aiohttp version 3.13.4 or later. This version includes a fix that prevents the injection of arbitrary headers via the reason parameter. If upgrading is not immediately feasible, consider implementing input validation on the reason parameter to ensure that it only contains trusted data. While not a direct fix, a Web Application Firewall (WAF) configured to inspect and filter HTTP response headers could potentially block malicious header injections. After upgrading, confirm the fix by attempting to create a response with a crafted reason parameter containing potentially malicious header directives and verifying that the headers are not injected.
Actualice la versión de AIOHTTP a la 3.13.4 o superior. Esta versión contiene la corrección para la vulnerabilidad de división de respuesta HTTP. Puede actualizar usando pip: `pip install aiohttp==3.13.4`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34519 is a LOW severity vulnerability in aiohttp versions up to 3.9.5 that allows an attacker to inject headers by manipulating the 'reason' parameter in HTTP responses.
You are affected if your application uses aiohttp version 3.9.5 or earlier. Upgrade to 3.13.4 or later to resolve the issue.
Upgrade to aiohttp version 3.13.4 or later. Also, review your code to ensure user input is not directly used in the 'reason' parameter.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests potential for exploitation.
Refer to the official aiohttp GitHub repository commit: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.