Plateforme
python
Composant
aiohttp
Corrigé dans
3.13.5
3.13.4
CVE-2026-34518 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the aiohttp Python library. This flaw occurs when aiohttp follows redirects to a different origin, inadvertently dropping the Authorization header while retaining the Cookie and Proxy-Authorization headers. This can lead to the exposure of sensitive information. The vulnerability affects versions of aiohttp up to and including 3.9.5, and a patch is available in version 3.13.4.
The core impact of CVE-2026-34518 lies in the potential leakage of sensitive data contained within the Cookie and Proxy-Authorization headers. When aiohttp follows a redirect to a different origin, these headers are not properly handled, and their contents can be inadvertently exposed to unintended third parties. This could include authentication tokens, session identifiers, or other credentials that attackers could leverage to gain unauthorized access to backend systems or data. The risk is amplified in environments where these headers contain sensitive information, such as those utilizing proxy authentication or custom cookie-based authentication schemes. While the CVSS score is low, the potential for data exposure warrants immediate attention.
CVE-2026-34518 is not currently listed on KEV or EPSS. The EPSS score is likely low given the CVSS score and the requirement for specific redirect configurations to trigger the vulnerability. No public proof-of-concept (PoC) exploits have been publicly released as of the publication date. Active exploitation campaigns are not currently known, but the ease of identifying and triggering the vulnerability suggests it could become a target for opportunistic attackers.
Applications and services built using aiohttp, particularly those that handle user authentication via cookies or proxy authentication, are at risk. This includes web applications, APIs, and microservices that rely on aiohttp for HTTP requests and redirection handling. Environments with legacy authentication schemes or custom cookie implementations are especially vulnerable.
• python / server:
import requests
from urllib.parse import urlparse
def check_redirect_headers(url):
try:
response = requests.get(url, allow_redirects=True, stream=True)
for redirect in response.history:
if urlparse(redirect.url).netloc != urlparse(response.url).netloc:
print(f"Redirect to different origin detected: {redirect.url}")
print(f"Cookie header: {response.cookies.get_dict()}")
print(f"Proxy-Authorization header: {response.headers.get('Proxy-Authorization')}")
except Exception as e:
print(f"Error during request: {e}")
# Example usage
check_redirect_headers("http://example.com/redirect")disclosure
patch
Statut de l'Exploit
EPSS
0.05% (percentile 16%)
CISA SSVC
The primary mitigation for CVE-2026-34518 is to upgrade to aiohttp version 3.13.4 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include carefully scrutinizing redirect URLs to prevent redirection to untrusted origins, or implementing stricter header filtering policies at the proxy or web server level to strip out sensitive headers before they are passed to aiohttp. For environments utilizing reverse proxies, configure the proxy to handle redirects and header stripping. After upgrading, confirm the fix by sending a request that triggers a redirect and verifying that the Cookie and Proxy-Authorization headers are not included in the response.
Actualice a la versión 3.13.4 o superior de AIOHTTP. Esta versión corrige la fuga de los encabezados Cookie y Proxy-Authorization al seguir redirecciones a un origen diferente. La actualización se puede realizar mediante el gestor de paquetes pip.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-34518 is a Server-Side Request Forgery vulnerability in the aiohttp Python library where sensitive headers are leaked during redirects to different origins.
You are affected if you are using aiohttp version 3.9.5 or earlier. Upgrade to 3.13.4 or later to mitigate the risk.
Upgrade to aiohttp version 3.13.4 or later. If immediate upgrade is not possible, implement temporary workarounds like header filtering or URL scrutiny.
No active exploitation campaigns are currently known, but the vulnerability's ease of triggering suggests it could become a target.
Refer to the aiohttp GitHub repository for details and the patch: https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.