AIOHTTP has HTTP response splitting via \r in reason phrase

GHSA-mwh4-6h8g-pg8w · CVE-2026-34519

Published Apr 1, 2026 · Modified Apr 2, 2026

Description

Summary

An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits.

Impact

In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the response to send something different from what the developer intended.

Patch: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b

References

WEB https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mwh4-6h8g-pg8w
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34519
WEB https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b
PACKAGE https://github.com/aio-libs/aiohttp
WEB https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes