Plattform
python
Komponente
aiohttp
Behoben in
3.13.5
3.13.4
CVE-2026-34520 affects the aiohttp library, a Python 3.6+ HTTP client/server framework. This vulnerability arises from the parser's improper handling of null bytes and control characters within response headers. Attackers can exploit this to manipulate header values, potentially bypassing security controls and leading to unauthorized access or actions. Versions of aiohttp prior to 3.13.4 are vulnerable, and a patch has been released to address the issue.
The core of the vulnerability lies in the C parser (the default for most installations) accepting control characters in response headers. This allows an attacker to craft malicious header values that are interpreted differently than intended. A prime example is the request.url.origin() function, which might return a value different from the raw Host header or what a reverse proxy has interpreted it as. This discrepancy can be leveraged to bypass authentication mechanisms, access restricted resources, or even manipulate application logic. The potential for security bypass is significant, as it undermines the integrity of header-based security controls. The blast radius could extend to any application relying on aiohttp for handling HTTP requests and responses, particularly those that trust header information for security decisions.
CVE-2026-34520 was published on 2026-04-01. Its CVSS score of 9.1 (CRITICAL) reflects the high severity of the vulnerability. As of this writing, there are no publicly known active campaigns exploiting this vulnerability, and it is not listed on KEV. The EPSS score is likely to be medium to high, given the ease of exploitation and the potential for significant impact. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Applications built using aiohttp, particularly those deployed in production environments and handling sensitive data, are at risk. Services relying on accurate header parsing for authentication, authorization, or routing are especially vulnerable. Shared hosting environments where users have limited control over server configurations are also at increased risk.
• python / server:
import aiohttp
async def check_aiohttp_version():
try:
import aiohttp
print(f"aiohttp version: {aiohttp.__version__}")
if aiohttp.__version__ <= '3.9.5':
print("VULNERABLE: aiohttp version is less than or equal to 3.9.5")
else:
print("aiohttp version is not vulnerable.")
except ImportError:
print("aiohttp is not installed.")
if __name__ == '__main__':
import asyncio
asyncio.run(check_aiohttp_version())• generic web:
curl -I https://example.com | grep -i 'Content-Type:'Inspect the Content-Type header for unexpected characters or encodings that might indicate manipulation.
disclosure
Exploit-Status
EPSS
0.06% (17% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2026-34520 is to upgrade to aiohttp version 3.13.4 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. One approach is to sanitize incoming header values, removing or escaping control characters before processing them. Web Application Firewalls (WAFs) or reverse proxies can also be configured to filter out suspicious header values. Specifically, look for rules that block headers containing unusual control characters or unexpected sequences. After upgrading, verify the fix by sending crafted requests containing control characters in headers and confirming that the application behaves as expected, without misinterpreting the header values.
Actualice la biblioteca AIOHTTP a la versión 3.13.4 o superior. Esto solucionará la vulnerabilidad de inyección de encabezado al rechazar bytes nulos y caracteres de control en los valores de los encabezados de respuesta. Puede actualizar usando `pip install -U aiohttp`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34520 is a critical vulnerability in aiohttp versions up to 3.9.5 that allows attackers to inject malicious header values via control characters, potentially leading to security bypasses.
You are affected if you are using aiohttp version 3.9.5 or earlier. Check your aiohttp version and upgrade if necessary.
Upgrade aiohttp to version 3.13.4 or later. If immediate upgrade is not possible, implement WAF rules to filter suspicious header characters.
No active exploitation campaigns have been reported at this time, but the vulnerability's nature suggests it could be easily exploited.
Refer to the aiohttp GitHub repository commit: https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.