AIOHTTP is an asynchronous HTTP client/server framework for Python built on top of asyncio. It's designed for building high-performance web applications and services. AIOHTTP supports both client-side requests and server-side request handling.

What vulnerabilities were patched in AIOHTTP 3.13.4?

AIOHTTP version 3.13.4 addresses multiple vulnerabilities, including header injection, denial-of-service, information leakage, and potential credential theft on Windows systems. Upgrading to this version mitigates these risks.

How do I upgrade AIOHTTP to the latest version?

You can upgrade AIOHTTP to the latest version using pip, the Python package installer. Run the command `pip install --upgrade aiohttp` in your terminal or command prompt to update AIOHTTP.

What is HTTP response splitting?

HTTP response splitting is a type of web security vulnerability where an attacker injects carriage return and line feed characters into an HTTP response header. This allows the attacker to control subsequent headers and the body of the response, potentially leading to cross-site scripting or other attacks.

AIOHTTP Patches Multiple Vulnerabilities in Version 3.13.4

Multiple vulnerabilities have been identified in AIOHTTP, potentially leading to denial of service, header injection, and information leakage. These issues affect applications using AIOHTTP version 3.9.5 and earlier. A patch is available in version 3.13.4 to address these vulnerabilities.

Several vulnerabilities have a CVSS score of 2.5, indicating low severity.

What is Aiohttp?

Aiohttp is an asynchronous HTTP client/server framework for Python. It's built on top of asyncio, Python's standard asynchronous I/O framework, providing non-blocking network operations. Aiohttp is commonly used for building high-performance web applications and services that require handling a large number of concurrent connections. To learn more, you can search all aiohttp CVEs. Aiohttp simplifies the process of making HTTP requests and handling responses in an asynchronous manner. It supports both client-side (making requests to external servers) and server-side (handling incoming requests) functionalities. Due to its asynchronous nature, aiohttp is well-suited for applications that need to efficiently manage multiple concurrent tasks, such as web scraping, API integrations, and real-time applications.

CVE-2026-34525: AIOHTTP Accepts Duplicate Host Headers

CVSSN/A

Affected versionsThis vulnerability affects AIOHTTP versions 3.9.5 and earlier. Applications using reverse proxies that depend on the Host header for security rules are most at risk.

No CVSS score provided.

EPSS score of 0.085 suggests low exploitability.

AIOHTTP incorrectly accepts multiple Host headers in a request. This could allow an attacker to bypass security checks on reverse proxies that rely on the Host header for routing or access control.

How to fix CVE-2026-34525 in AIOHTTP

Patch within 7 days

1.Upgrade AIOHTTP to version 3.13.4 or later.

Upgrade AIOHTTP

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Configure your reverse proxy to reject requests with multiple Host headers.

NextGuard automatically flags CVE-2026-34525 if AIOHTTP appears in any of your monitored projects — no manual lookup required.

CVE-2026-34519: AIOHTTP HTTP Response Splitting via \r in Reason Phrase

CVSS2.5

Affected versionsThis vulnerability affects AIOHTTP versions 3.9.5 and earlier. Applications that allow untrusted data to be used in the response's `reason` parameter are vulnerable.

Low severity vulnerability.

EPSS score of 0.045 suggests low exploitability.

AIOHTTP is vulnerable to HTTP response splitting if the `reason` parameter of a `Response` object is controlled by an attacker. By injecting carriage return characters, an attacker can inject arbitrary headers into the response.

How to fix CVE-2026-34519 in AIOHTTP

Patch within 7 days

1.Upgrade AIOHTTP to version 3.13.4 or later.

Upgrade AIOHTTP

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Ensure that the `reason` parameter of `Response` objects is always from a trusted source.

NextGuard automatically flags CVE-2026-34519 if AIOHTTP appears in any of your monitored projects — no manual lookup required.

CVE-2026-34517: AIOHTTP Late Size Enforcement Causes Memory DoS

CVSS2.5

Affected versionsThis vulnerability affects AIOHTTP versions 3.9.5 and earlier. Applications using `Request.post()` are vulnerable to this denial-of-service attack.

Low severity vulnerability.

EPSS score of 0.04 suggests low exploitability.

AIOHTTP reads the entire multipart form field into memory before checking `client_max_size`. An attacker can exploit this by sending a large multipart request, causing excessive memory allocation and a potential denial-of-service.

How to fix CVE-2026-34517 in AIOHTTP

Patch within 7 days

1.Upgrade AIOHTTP to version 3.13.4 or later.

Upgrade AIOHTTP

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Limit the size of incoming requests and consider using a web application firewall to filter malicious requests.

NextGuard automatically flags CVE-2026-34517 if AIOHTTP appears in any of your monitored projects — no manual lookup required.

CVE-2026-34518: AIOHTTP Leaks Cookie and Proxy-Authorization Headers on Cross-Origin Redirect

CVSS2.5

Affected versionsThis vulnerability affects AIOHTTP versions 3.9.5 and earlier. Applications that follow redirects to different origins are vulnerable.

Low severity vulnerability.

EPSS score of 0.04 suggests low exploitability.

AIOHTTP retains the Cookie and Proxy-Authorization headers when following redirects to a different origin. This can lead to sensitive information being leaked to an unintended party.

How to fix CVE-2026-34518 in AIOHTTP

Patch within 7 days

1.Upgrade AIOHTTP to version 3.13.4 or later.

Upgrade AIOHTTP

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Avoid following redirects to untrusted origins or manually clear sensitive headers before following a redirect.

NextGuard automatically flags CVE-2026-34518 if AIOHTTP appears in any of your monitored projects — no manual lookup required.

CVE-2026-34513: AIOHTTP Denial of Service via Unbounded DNS Cache

CVSS2.5

Affected versionsThis vulnerability affects AIOHTTP versions 3.9.5 and earlier. Applications that make requests to a very large number of hosts are vulnerable.

Low severity vulnerability.

EPSS score of 0.04 suggests low exploitability.

AIOHTTP's unbounded DNS cache can lead to excessive memory usage, potentially resulting in a denial-of-service. An application making requests to a large number of hosts could exhaust memory resources.

How to fix CVE-2026-34513 in AIOHTTP

Patch within 7 days

1.Upgrade AIOHTTP to version 3.13.4 or later.

Upgrade AIOHTTP

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Limit the number of unique hosts an application connects to, or implement a custom DNS cache with a size limit.

NextGuard automatically flags CVE-2026-34513 if AIOHTTP appears in any of your monitored projects — no manual lookup required.

CVE-2026-34515: AIOHTTP UNC SSRF/NTLMv2 Credential Theft/Local File Read on Windows

CVSSN/A

Affected versionsThis vulnerability affects AIOHTTP versions 3.9.5 and earlier, running on Windows, and using the static resource handler. It is not recommended to use the static resource handler in production.

No CVSS score provided.

EPSS score of 0.057 suggests low exploitability.

On Windows, AIOHTTP's static resource handler may expose information about a NTLMv2 remote path, potentially leading to credential theft or local file read.

How to fix CVE-2026-34515 in AIOHTTP

Patch within 7 days

1.Upgrade AIOHTTP to version 3.13.4 or later.

Upgrade AIOHTTP

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Avoid using AIOHTTP's static resource handler, especially in production environments. Use a dedicated static file server instead.

NextGuard automatically flags CVE-2026-34515 if AIOHTTP appears in any of your monitored projects — no manual lookup required.

CVE-2026-34514: AIOHTTP CRLF Injection Through Multipart Content Type Header

CVSS2.5

Affected versionsThis vulnerability affects AIOHTTP versions 3.9.5 and earlier. Applications that allow untrusted data to be used for the multipart `content_type` parameter are vulnerable.

Low severity vulnerability.

EPSS score of 0.045 suggests low exploitability.

AIOHTTP is vulnerable to CRLF injection through the multipart part content type header construction. An attacker who controls the `content_type` parameter can inject extra headers or similar exploits.

How to fix CVE-2026-34514 in AIOHTTP

Patch within 7 days

1.Upgrade AIOHTTP to version 3.13.4 or later.

Upgrade AIOHTTP

pip install --upgrade aiohttp

Verify with:

verify

pip show aiohttp

Workaround: Ensure that the `content_type` parameter for multipart requests is always from a trusted source and properly sanitized.

NextGuard automatically flags CVE-2026-34514 if AIOHTTP appears in any of your monitored projects — no manual lookup required.

Stay ahead of python vulnerabilities

Proactively detect and remediate vulnerabilities in your Python projects. Use NextGuard to monitor your python dependencies and receive alerts on new threats.

Compare Plans

Frequently asked questions

AIOHTTP has released version 3.13.4 to address several security vulnerabilities. It is highly recommended to upgrade to the latest version to protect your applications. See all python vulnerabilities.