What versions of Aiohttp are affected by these vulnerabilities?

All versions of Aiohttp prior to 3.13.4 are affected by these vulnerabilities. It is crucial to update to the latest version to mitigate the risks.

Are these vulnerabilities actively being exploited in the wild?

While there is no widespread evidence of active exploitation at this time, the potential for exploitation exists, and patching is highly recommended to prevent future attacks.

What is EPSP, and why is it mentioned?

EPSP (Exploit Prediction Scoring System) is a metric that estimates the likelihood of a vulnerability being exploited. EPSP values provide context for the severity of a vulnerability and help prioritize remediation efforts.

What should I do if I cannot immediately update Aiohttp?

If an immediate update is not possible, implement temporary workarounds as described in the fix sections for each CVE. Prioritize patching as soon as feasible.

Multiple Vulnerabilities Discovered in Aiohttp: HTTP Response Splitting, Host Header Handling, and More

Several vulnerabilities have been identified in Aiohttp, a widely used asynchronous HTTP client/server framework for Python. These vulnerabilities range from HTTP response splitting and Host header mishandling to potential denial-of-service conditions and information leakage. Patches are available, and users are strongly encouraged to update to version 3.13.4.

While some vulnerabilities have a CVSS score of 2.5, indicating a low to moderate severity, others lack a score but pose significant risks due to potential exploitation scenarios.

What is Aiohttp?

Aiohttp is an asynchronous HTTP client/server framework built on top of asyncio. It provides a robust and efficient way to handle HTTP requests and responses in Python, making it suitable for building high-performance web applications and APIs. Aiohttp is often used in conjunction with other Python libraries and frameworks to create scalable and responsive web services. For more information, see all aiohttp CVEs.

AIOHTTP: Duplicate Host Headers

CVSSN/A

Affected versionsAiohttp versions 3.9.5 and earlier are affected.

Potential bypass of reverse proxy security rules.

EPSP: 0.085%. This indicates a moderate likelihood of exploitation in affected environments.

Aiohttp allowed multiple Host headers to be accepted, potentially bypassing security checks in reverse proxies. This could lead to requests being processed by privileged sub-applications when using `Application.add_domain()`.

How to fix CVE-2026-34525 in Aiohttp

Patch immediately

1.Update Aiohttp to version 3.13.4 or later.

Update Aiohttp

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

NextGuard automatically flags CVE-2026-34525 if Aiohttp appears in any of your monitored projects — no manual lookup required.

AIOHTTP: HTTP Response Splitting

CVSS2.5

Affected versionsAiohttp versions 3.9.5 and earlier are affected, specifically if the `reason` parameter is used with untrusted data.

Low severity HTTP response manipulation.

EPSP: 0.045%. This suggests a relatively low likelihood of exploitation.

An attacker could inject extra headers into HTTP responses by manipulating the `reason` parameter when creating a `Response` object. This could lead to unexpected behavior and potential exploits.

How to fix CVE-2026-34519 in Aiohttp

Patch within 24h

1.Update Aiohttp to version 3.13.4 or later.

Update Aiohttp

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Sanitize or validate the `reason` parameter before using it in a `Response` object.

NextGuard automatically flags CVE-2026-34519 if Aiohttp appears in any of your monitored projects — no manual lookup required.

AIOHTTP: Uncapped Trailer Headers

CVSSN/A

Affected versionsAiohttp versions 3.9.5 and earlier are affected.

Potential denial-of-service due to memory exhaustion.

EPSP: 0.038%. This indicates a relatively low likelihood of exploitation.

Aiohttp lacked sufficient restrictions on trailer header handling, potentially leading to uncapped memory usage when processing large requests or responses.

How to fix CVE-2026-22815 in Aiohttp

Patch within 7 days

1.Update Aiohttp to version 3.13.4 or later.

Update Aiohttp

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Configure a reverse proxy to limit trailer header sizes.

NextGuard automatically flags CVE-2026-22815 if Aiohttp appears in any of your monitored projects — no manual lookup required.

AIOHTTP: Memory DoS in Multipart Handling

CVSS2.5

Affected versionsAiohttp versions 3.9.5 and earlier are affected when using `Request.post()`.

Potential denial-of-service via large multipart requests.

EPSP: 0.04%. This suggests a relatively low likelihood of exploitation.

Aiohttp performed late size enforcement for non-file multipart form fields, potentially leading to a denial-of-service condition if an attacker sends a large, crafted multipart request.

How to fix CVE-2026-34517 in Aiohttp

Patch within 24h

1.Update Aiohttp to version 3.13.4 or later.

Update Aiohttp

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Implement client-side size limits and validation for multipart form data.

NextGuard automatically flags CVE-2026-34517 if Aiohttp appears in any of your monitored projects — no manual lookup required.

AIOHTTP: Cookie and Proxy-Authorization Header Leakage

CVSS2.5

Affected versionsAiohttp versions 3.9.5 and earlier are affected when following redirects to different origins.

Information leakage via header retention during redirects.

EPSP: 0.04%. This suggests a relatively low likelihood of exploitation.

Aiohttp leaked Cookie and Proxy-Authorization headers during cross-origin redirects, potentially exposing sensitive information to unintended parties.

How to fix CVE-2026-34518 in Aiohttp

Patch within 7 days

1.Update Aiohttp to version 3.13.4 or later.

Update Aiohttp

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Implement stricter redirect policies and sanitize headers before forwarding.

NextGuard automatically flags CVE-2026-34518 if Aiohttp appears in any of your monitored projects — no manual lookup required.

AIOHTTP: Unbounded DNS Cache DoS

CVSS2.5

Affected versionsAiohttp versions 3.9.5 and earlier are affected.

Potential denial-of-service due to unbounded DNS cache.

EPSP: 0.04%. This suggests a relatively low likelihood of exploitation.

An unbounded DNS cache in TCPConnector could lead to excessive memory usage and a denial-of-service if the application makes requests to a large number of hosts.

How to fix CVE-2026-34513 in Aiohttp

Patch within 7 days

1.Update Aiohttp to version 3.13.4 or later.

Update Aiohttp

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Limit the number of concurrent DNS lookups.

NextGuard automatically flags CVE-2026-34513 if Aiohttp appears in any of your monitored projects — no manual lookup required.

AIOHTTP: NTLMv2 Credential Theft on Windows

CVSSN/A

Affected versionsAiohttp versions 3.9.5 and earlier running on Windows, specifically when using the static resource handler (not recommended for production).

Potential NTLMv2 credential theft on Windows.

EPSP: 0.057%. This indicates a moderate likelihood of exploitation.

On Windows, the static resource handler may expose NTLMv2 remote path information, potentially leading to credential theft.

How to fix CVE-2026-34515 in Aiohttp

Patch immediately

1.Update Aiohttp to version 3.13.4 or later.

Update Aiohttp

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Avoid using the static resource handler in production environments. If necessary, implement strict access controls and input validation.

NextGuard automatically flags CVE-2026-34515 if Aiohttp appears in any of your monitored projects — no manual lookup required.

AIOHTTP: CRLF Injection in Multipart Content Type

CVSS2.5

Affected versionsAiohttp versions 3.9.5 and earlier are affected if the `content_type` parameter is used with untrusted data.

Potential header injection via CRLF injection.

EPSP: 0.045%. This suggests a relatively low likelihood of exploitation.

An attacker could inject CRLF sequences into the `content_type` parameter when constructing multipart requests, potentially leading to header injection exploits.

How to fix CVE-2026-34514 in Aiohttp

Patch within 24h

1.Update Aiohttp to version 3.13.4 or later.

Update Aiohttp

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Sanitize or validate the `content_type` parameter before using it in a multipart request.

NextGuard automatically flags CVE-2026-34514 if Aiohttp appears in any of your monitored projects — no manual lookup required.

Stay ahead of Python vulnerabilities

Proactively identify and address security risks in your Python projects. Monitor your python dependencies to ensure you are always protected against the latest threats. You can monitor your python dependencies.

Compare your dependencies

Frequently asked questions

These multiple vulnerabilities in Aiohttp highlight the importance of keeping your dependencies up to date. Regularly review and update your software to minimize your attack surface. See all python vulnerabilities.