AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

GHSA-63hf-3vf5-4wqf · CVE-2026-34520

Published Apr 1, 2026 · Modified Apr 6, 2026

Description

Summary

The C parser (the default for most installs) accepted null bytes and control characters is response headers.

Impact

An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin() may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.

Patch: https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4

References

WEB https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34520
WEB https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4
PACKAGE https://github.com/aio-libs/aiohttp
WEB https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes