Plattform
python
Komponente
aiohttp
Behoben in
3.13.5
3.13.4
CVE-2026-34525 describes a Host header vulnerability discovered in aiohttp versions up to 3.9.5. This issue doesn't directly compromise aiohttp's security but can potentially bypass security checks implemented by reverse proxies. The vulnerability arises from aiohttp allowing multiple Host headers, which, when combined with Application.add_domain(), could lead to unintended request processing. A fix has been released in version 3.13.4.
The primary impact of CVE-2026-34525 stems from its interaction with reverse proxies. If a reverse proxy relies on the Host header to enforce security policies (e.g., restricting access to specific domains), an attacker could craft a request with a malicious Host header. This could potentially bypass the proxy's security checks, allowing the request to be processed by aiohttp in a privileged sub-application. The blast radius is limited to applications utilizing Application.add_domain() and relying on reverse proxies for security enforcement. While not a direct vulnerability in aiohttp itself, it represents a significant risk when integrated into larger systems.
CVE-2026-34525 was publicly disclosed on 2026-04-01. There are currently no known public proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog. The probability of exploitation is considered low due to the requirement of a specific deployment architecture involving reverse proxies and Application.add_domain().
Exploit-Status
EPSS
0.10% (28% Perzentil)
CISA SSVC
The recommended mitigation for CVE-2026-34525 is to upgrade aiohttp to version 3.13.4 or later. This version includes a fix that restricts the acceptance of multiple Host headers. If upgrading is not immediately feasible, consider implementing stricter Host header validation within the reverse proxy configuration. Ensure the proxy only accepts expected Host headers and rejects any others. Additionally, review application code utilizing Application.add_domain() to understand how Host headers are being handled and if any additional validation is needed. After upgrading, confirm the fix by sending a request with multiple Host headers to the application and verifying that only the expected Host header is processed.
Actualice a la versión 3.13.4 o superior de AIOHTTP. Esta versión corrige la vulnerabilidad que permite múltiples encabezados Host, lo cual podría ser explotado para realizar ataques de envenenamiento de caché HTTP o suplantación de identidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
The severity depends on the reverse proxy configuration. If the proxy doesn't validate the 'Host' header, the vulnerability is critical.
Implement additional security controls in the reverse proxy, such as hostname validation and firewall rules.
Review proxy and aiohttp logs for requests with multiple 'Host' headers.
It's an aiohttp function that allows creating sub-applications with specific domains. If these sub-applications have elevated privileges, the vulnerability can be more severe.
Currently, there are no specific tools, but web vulnerability scanners can be adapted to look for requests with multiple 'Host' headers.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.