Multiple vulnerabilities have been discovered in Aiohttp, a popular Python asynchronous HTTP client/server framework. These vulnerabilities could lead to denial of service (DoS), security bypass, information disclosure, and potential credential theft. Users are advised to upgrade to Aiohttp version 3.13.4 to mitigate these risks.
Several vulnerabilities have a low CVSS score of 2.5, indicating a low potential impact.
What is Aiohttp?
CVE-2026-34520: AIOHTTP Header Injection via Null Bytes and Control Characters
Low severity vulnerability.
EPSS score of 0.045 indicates a low probability of exploitation.
AIOHTTP's C parser (llhttp) accepted null bytes and control characters in response header values. An attacker could send crafted header values that are interpreted differently than expected, potentially leading to security bypass.
How to fix CVE-2026-34520 in Aiohttp
Patch immediately- 1.Upgrade Aiohttp to version 3.13.4 or later.
pip install --upgrade aiohttpWorkaround: No known workaround.
NextGuard automatically flags CVE-2026-34520 if Aiohttp appears in any of your monitored projects — no manual lookup required.
CVE-2026-34525: AIOHTTP Accepts Duplicate Host Headers
Severity not specified.
EPSS score of 0.085 indicates a low probability of exploitation.
AIOHTTP allowed multiple Host headers in requests. If a reverse proxy relies on the Host header for security rules, AIOHTTP and the proxy could process different hostnames, potentially bypassing security checks.
How to fix CVE-2026-34525 in Aiohttp
Patch immediately- 1.Upgrade Aiohttp to version 3.13.4 or later.
pip install --upgrade aiohttpWorkaround: Ensure reverse proxies are configured to handle multiple Host headers correctly.
NextGuard automatically flags CVE-2026-34525 if Aiohttp appears in any of your monitored projects — no manual lookup required.
CVE-2026-34519: AIOHTTP HTTP Response Splitting via \r in Reason Phrase
Low severity vulnerability.
EPSS score of 0.045 indicates a low probability of exploitation.
An attacker controlling the `reason` parameter when creating a `Response` could inject extra headers. This could allow manipulation of the response to send something different from what the developer intended.
How to fix CVE-2026-34519 in Aiohttp
Patch immediately- 1.Upgrade Aiohttp to version 3.13.4 or later.
pip install --upgrade aiohttpWorkaround: Avoid using untrusted data in the response's `reason` parameter.
NextGuard automatically flags CVE-2026-34519 if Aiohttp appears in any of your monitored projects — no manual lookup required.
CVE-2026-34516: AIOHTTP Multipart Header Size Bypass
Severity not specified.
EPSS score of 0.04 indicates a low probability of exploitation.
A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.
How to fix CVE-2026-34516 in Aiohttp
Patch immediately- 1.Upgrade Aiohttp to version 3.13.4 or later.
pip install --upgrade aiohttpWorkaround: Limit the number of multipart headers accepted by the application.
NextGuard automatically flags CVE-2026-34516 if Aiohttp appears in any of your monitored projects — no manual lookup required.
CVE-2026-22815: AIOHTTP Uncapped Memory Usage via Unlimited Trailer Headers
Severity not specified.
EPSS score of 0.04 indicates a low probability of exploitation.
Insufficient restrictions in header/trailer handling could cause uncapped memory usage. An attacker-controlled request or response could exhaust memory resources.
How to fix CVE-2026-22815 in Aiohttp
Patch immediately- 1.Upgrade Aiohttp to version 3.13.4 or later.
pip install --upgrade aiohttpWorkaround: Use a reverse proxy to limit header/trailer sizes.
NextGuard automatically flags CVE-2026-22815 if Aiohttp appears in any of your monitored projects — no manual lookup required.
CVE-2026-34517: AIOHTTP Memory DoS via Late Size Enforcement for Multipart Fields
Low severity vulnerability.
EPSS score of 0.04 indicates a low probability of exploitation.
AIOHTTP reads entire multipart form fields into memory before checking `client_max_size`. An attacker can send a crafted multipart request to force significant temporary memory allocation, even if the request is rejected.
How to fix CVE-2026-34517 in Aiohttp
Patch immediately- 1.Upgrade Aiohttp to version 3.13.4 or later.
pip install --upgrade aiohttpWorkaround: Limit the size of multipart requests.
NextGuard automatically flags CVE-2026-34517 if Aiohttp appears in any of your monitored projects — no manual lookup required.
CVE-2026-34518: AIOHTTP Leaks Cookie and Proxy-Authorization Headers on Cross-Origin Redirect
Low severity vulnerability.
EPSS score of 0.04 indicates a low probability of exploitation.
When following redirects to a different origin, AIOHTTP drops the Authorization header but retains the Cookie and Proxy-Authorization headers. This could leak sensitive information.
How to fix CVE-2026-34518 in Aiohttp
Patch immediately- 1.Upgrade Aiohttp to version 3.13.4 or later.
pip install --upgrade aiohttpWorkaround: Avoid redirects to different origins when Cookie or Proxy-Authorization headers are present.
NextGuard automatically flags CVE-2026-34518 if Aiohttp appears in any of your monitored projects — no manual lookup required.
CVE-2026-34513: AIOHTTP Denial of Service (DoS) via Unbounded DNS Cache
Low severity vulnerability.
EPSS score of 0.04 indicates a low probability of exploitation.
An unbounded DNS cache could result in excessive memory usage, potentially leading to a DoS situation. Applications making requests to a very large number of hosts are most at risk.
How to fix CVE-2026-34513 in Aiohttp
Patch immediately- 1.Upgrade Aiohttp to version 3.13.4 or later.
pip install --upgrade aiohttpWorkaround: Limit the number of unique hosts an application connects to.
NextGuard automatically flags CVE-2026-34513 if Aiohttp appears in any of your monitored projects — no manual lookup required.
CVE-2026-34515: AIOHTTP UNC SSRF/NTLMv2 Credential Theft/Local File Read on Windows
Severity not specified.
EPSS score of 0.057 indicates a low probability of exploitation.
On Windows, the static resource handler may expose information about an NTLMv2 remote path, potentially leading to credential theft or local file reads.
How to fix CVE-2026-34515 in Aiohttp
Patch immediately- 1.Upgrade Aiohttp to version 3.13.4 or later.
pip install --upgrade aiohttpWorkaround: Avoid using AIOHTTP's static resource handler in production, especially on Windows. Sanitize user inputs.
NextGuard automatically flags CVE-2026-34515 if Aiohttp appears in any of your monitored projects — no manual lookup required.
CVE-2026-34514: AIOHTTP CRLF Injection through Multipart Content Type Header
Low severity vulnerability.
EPSS score of 0.045 indicates a low probability of exploitation.
An attacker controlling the `content_type` parameter in AIOHTTP could use this to inject extra headers or similar exploits, manipulating the request to send unintended data.
How to fix CVE-2026-34514 in Aiohttp
Patch immediately- 1.Upgrade Aiohttp to version 3.13.4 or later.
pip install --upgrade aiohttpWorkaround: Avoid using untrusted data for the multipart `content_type` parameter.
NextGuard automatically flags CVE-2026-34514 if Aiohttp appears in any of your monitored projects — no manual lookup required.
Stay ahead of Python vulnerabilities
Proactively detect and remediate vulnerabilities in your Python projects. Use NextGuard to monitor your python dependencies.
Compare PlansFrequently asked questions
Multiple vulnerabilities were discovered in Aiohttp. It is highly recommended to upgrade to version 3.13.4 to mitigate these issues and ensure the security of your applications. See all python vulnerabilities.
Related topics