aiohttp (pypi) security advisories

MEDIUM 5.5

PyPI

CVE-2022-33124

Withdrawn: Denial of Service in aiohttp

Jun 24, 2022

MEDIUM 5.5

PyPI

CVE-2022-33124

Jun 23, 2022

MEDIUM 6.4

PyPI

CVE-2026-34993

AIOHTTP is Vulnerable to Deserialization of Untrusted Data

Jun 3, 2026

UNKNOWN

PyPI

CVE-2026-47265

AIOHTTP is vulnerable to cross-origin redirect with per-request cookies

Jun 3, 2026

MEDIUM 5.3

PyPI

CVE-2026-34518

AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect

Apr 1, 2026

CRITICAL 9.1

PyPI

CVE-2026-34520

AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

Apr 1, 2026

HIGH 7.5

PyPI

CVE-2026-34516

AIOHTTP has a Multipart Header Size Bypass

Apr 1, 2026

UNKNOWN

PyPI

CVE-2026-22815

aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage

Apr 1, 2026

UNKNOWN

PyPI

CVE-2026-34515

AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows

Apr 1, 2026

UNKNOWN

PyPI

CVE-2026-34514

AIOHTTP has CRLF injection through multipart part content type header construction

Apr 1, 2026

UNKNOWN

PyPI

CVE-2026-34513

AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector

Apr 1, 2026

UNKNOWN

PyPI

CVE-2026-34525

AIOHTTP accepts duplicate Host headers

Apr 1, 2026

UNKNOWN

PyPI

CVE-2026-34519

AIOHTTP has HTTP response splitting via \r in reason phrase

Apr 1, 2026

UNKNOWN

PyPI

CVE-2026-34517

AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

Apr 1, 2026

LOW 3.1

PyPI

CVE-2021-21330

`aiohttp` Open Redirect vulnerability (`normalize_path_middleware` middleware)

Feb 26, 2021

MEDIUM 5.9

PyPI

CVE-2024-23334

aiohttp is vulnerable to directory traversal

Jan 29, 2024

MEDIUM 5.3

PyPI

CVE-2023-49082

aiohttp's ClientSession is vulnerable to CRLF injection via method

Nov 27, 2023

UNKNOWN

PyPI

CVE-2025-69224

AIOHTTP's unicode processing of header values could cause parsing discrepancies

Jan 5, 2026

HIGH 7.5

PyPI

CVE-2024-30251

aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests

May 3, 2024

UNKNOWN

PyPI

CVE-2025-69226

AIOHTTP vulnerable to brute-force leak of internal static ﬁle path components

Jan 5, 2026

HIGH 7.2

PyPI

CVE-2023-49081

aiohttp's ClientSession is vulnerable to CRLF injection via version

Nov 27, 2023

UNKNOWN

PyPI

CVE-2025-69230

AIOHTTP Vulnerable to Cookie Parser Warning Storm

Jan 5, 2026

UNKNOWN

PyPI

GHSA-pjjw-qhg8-p2p9

aiohttp has vulnerable dependency that is vulnerable to request smuggling

Nov 27, 2023

UNKNOWN

PyPI

CVE-2025-53643

AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections

Jul 14, 2025

MEDIUM 6.5

PyPI

CVE-2024-23829

aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators

Jan 29, 2024

MEDIUM 5.3

PyPI

CVE-2023-47627

AIOHTTP has problems in HTTP parser (the python one, not llhttp)

Nov 14, 2023

UNKNOWN

PyPI

CVE-2025-69227

AIOHTTP vulnerable to DoS when bypassing asserts

Jan 5, 2026

UNKNOWN

PyPI

CVE-2024-52304

aiohttp allows request smuggling due to incorrect parsing of chunk extensions

Nov 18, 2024

HIGH 7.5

PyPI

CVE-2025-69223

AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb

Jan 5, 2026

UNKNOWN

PyPI

CVE-2025-69225

AIOHTTP has unicode match groups in regexes for ASCII protocol elements

Jan 5, 2026

MEDIUM 4.8

PyPI

CVE-2024-42367

In aiohttp, compressed files as symlinks are not protected from path traversal

Aug 9, 2024

HIGH 7.5

PyPI

CVE-2024-52303

aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method

Nov 18, 2024

MEDIUM 6.1

PyPI

CVE-2024-27306

aiohttp Cross-site Scripting vulnerability on index pages for static file handling

Apr 18, 2024

UNKNOWN

PyPI

CVE-2025-69228

AIOHTTP vulnerable to denial of service through large payloads

Jan 5, 2026

UNKNOWN

PyPI

CVE-2025-69229

AIOHTTP vulnerable to DoS through chunked messages

Jan 5, 2026

LOW 3.4

PyPI

CVE-2023-47641

Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks

Nov 14, 2023

MEDIUM 5.3

PyPI

CVE-2023-37276

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

Jul 20, 2023

MEDIUM 6.5

PyPI

CVE-2024-23829

Jan 29, 2024

HIGH 7.5

PyPI

CVE-2024-23334

Jan 29, 2024

MEDIUM 5.3

PyPI

CVE-2023-49081

Nov 30, 2023

MEDIUM 5.3

PyPI

CVE-2023-49082

Nov 29, 2023

HIGH 7.5

PyPI

CVE-2023-47627

Nov 14, 2023

MEDIUM 6.5

PyPI

CVE-2023-47641

Nov 14, 2023

UNKNOWN

PyPI

CVE-2023-37276

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

Jul 20, 2023

UNKNOWN

PyPI

CVE-2021-21330

Feb 26, 2021

aiohttp

Vulnerabilities

Withdrawn: Denial of Service in aiohttp

CVE-2022-33124

AIOHTTP is Vulnerable to Deserialization of Untrusted Data

AIOHTTP is vulnerable to cross-origin redirect with per-request cookies

AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect

AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

AIOHTTP has a Multipart Header Size Bypass

aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage

AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows

AIOHTTP has CRLF injection through multipart part content type header construction

AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector

AIOHTTP accepts duplicate Host headers

AIOHTTP has HTTP response splitting via \r in reason phrase

AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

`aiohttp` Open Redirect vulnerability (`normalize_path_middleware` middleware)

aiohttp is vulnerable to directory traversal

aiohttp's ClientSession is vulnerable to CRLF injection via method

AIOHTTP's unicode processing of header values could cause parsing discrepancies

aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests

AIOHTTP vulnerable to brute-force leak of internal static ﬁle path components

aiohttp's ClientSession is vulnerable to CRLF injection via version

AIOHTTP Vulnerable to Cookie Parser Warning Storm

aiohttp has vulnerable dependency that is vulnerable to request smuggling

AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections

aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators

AIOHTTP has problems in HTTP parser (the python one, not llhttp)

AIOHTTP vulnerable to DoS when bypassing asserts

aiohttp allows request smuggling due to incorrect parsing of chunk extensions

AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb

AIOHTTP has unicode match groups in regexes for ASCII protocol elements

In aiohttp, compressed files as symlinks are not protected from path traversal

aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method

aiohttp Cross-site Scripting vulnerability on index pages for static file handling

AIOHTTP vulnerable to denial of service through large payloads

AIOHTTP vulnerable to DoS through chunked messages

Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

CVE-2024-23829

CVE-2024-23334

CVE-2023-49081

CVE-2023-49082

CVE-2023-47627

CVE-2023-47641

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

CVE-2021-21330

Start Securing