aiohttp Support & Health

GHSA-27mf-ghqm-j3j8 CVSS_V3

aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method

Published: 2024-11-18 Fixed in: 3.10.11

GHSA-2vrm-gr82-f7m5 CVSS_V4

AIOHTTP has CRLF injection through multipart part content type header construction

Published: 2026-04-01 Fixed in: 3.13.4

GHSA-3wq7-rqq7-wx6j CVSS_V4

AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

Published: 2026-04-01 Fixed in: 3.13.4

GHSA-45c4-8wx5-qw6w CVSS_V3

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

Published: 2023-07-20 Fixed in: 3.8.5

GHSA-54jq-c3m8-4m76 CVSS_V4

AIOHTTP vulnerable to brute-force leak of internal static ﬁle path components

Published: 2026-01-05 Fixed in: 3.13.3

GHSA-5h86-8mv2-jq9f CVSS_V3

aiohttp is vulnerable to directory traversal

Published: 2024-01-29 Fixed in: 3.9.2

GHSA-5m98-qgg9-wh84 CVSS_V3

aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests

Published: 2024-05-03 Fixed in: 3.9.4

GHSA-63hf-3vf5-4wqf CVSS_V3

AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

Published: 2026-04-01 Fixed in: 3.13.4

GHSA-69f9-5gxw-wvc2 CVSS_V4

AIOHTTP's unicode processing of header values could cause parsing discrepancies

Published: 2026-01-05 Fixed in: 3.13.3

GHSA-6jhg-hg63-jvvf CVSS_V4

AIOHTTP vulnerable to denial of service through large payloads

Published: 2026-01-05 Fixed in: 3.13.3

aiohttp