AIOHTTP is Vulnerable to Deserialization of Untrusted Data

GHSA-jg22-mg44-37j8 · CVE-2026-34993

Published Jun 3, 2026 · Modified Jun 4, 2026

Description

Using CookieJar.load() with untrusted input may allow arbitrary code execution.

Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.

If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading.

Ready to move

Free, no credit card | First findings in minutes