Platform
python
Component
aiohttp
Fixed in
3.13.5
3.13.4
CVE-2026-34525 describes a vulnerability in aiohttp where multiple Host headers are permitted. This could lead to a scenario where a reverse proxy's security rules are bypassed, potentially allowing requests to be processed by aiohttp in a privileged sub-application when using Application.add_domain(). The vulnerability affects versions of aiohttp up to and including 3.9.5, and a patch has been released.
CVE-2026-34525 in aiohttp allows multiple 'Host' headers to be accepted. While this doesn't directly affect aiohttp's security itself, it poses a significant risk when aiohttp is used behind a reverse proxy that relies on the 'Host' header to enforce security rules. An attacker could manipulate the 'Host' header to cause the proxy and aiohttp to process different hostnames, potentially bypassing security checks on the proxy and getting a request processed by a privileged sub-app within aiohttp, especially when using Application.add_domain(). The severity of this issue depends on the reverse proxy configuration and security policies implemented.
This vulnerability is exploited by sending an HTTP request with multiple 'Host' headers. The reverse proxy, trusting a specific 'Host' header, might allow the request to pass without proper validation. aiohttp, accepting multiple headers, could process a hostname different from what the proxy expects, potentially leading to unauthorized code execution or access to sensitive resources. The likelihood of exploitation increases if the proxy doesn't validate the 'Host' header and if aiohttp is configured with privileged sub-applications.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
The recommended solution is to upgrade to aiohttp version 3.13.4 or later. This version fixes the vulnerability by validating and restricting the number of 'Host' headers allowed. Additionally, review your reverse proxy configuration to ensure robust security controls are in place, regardless of the received 'Host' header. This might include hostname validation in the proxy and firewall rules to restrict access to privileged sub-applications. Monitoring proxy and aiohttp logs for suspicious activity is also a good security practice.
Actualice a la versión 3.13.4 o superior de AIOHTTP. Esta versión corrige la vulnerabilidad que permite múltiples encabezados Host, lo cual podría ser explotado para realizar ataques de envenenamiento de caché HTTP o suplantación de identidad.
Vulnerability analysis and critical alerts directly to your inbox.
The severity depends on the reverse proxy configuration. If the proxy doesn't validate the 'Host' header, the vulnerability is critical.
Implement additional security controls in the reverse proxy, such as hostname validation and firewall rules.
Review proxy and aiohttp logs for requests with multiple 'Host' headers.
It's an aiohttp function that allows creating sub-applications with specific domains. If these sub-applications have elevated privileges, the vulnerability can be more severe.
Currently, there are no specific tools, but web vulnerability scanners can be adapted to look for requests with multiple 'Host' headers.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.