aiohttp (Python) – Support, CVEs & Health

GHSA-27mf-ghqm-j3j8 CVSS_V3

aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method

Published: 2024-11-18 Fixed in: 3.10.11

GHSA-2fqr-mr3j-6wp8 CVSS_V4

aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence

Published: 2026-06-15 Fixed in: 3.14.1

GHSA-2vrm-gr82-f7m5 CVSS_V4

AIOHTTP has CRLF injection through multipart part content type header construction

Published: 2026-04-01 Fixed in: 3.13.4

GHSA-3wq7-rqq7-wx6j CVSS_V4

AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

Published: 2026-04-01 Fixed in: 3.13.4

GHSA-45c4-8wx5-qw6w CVSS_V3

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

Published: 2023-07-20 Fixed in: 3.8.5

GHSA-4fvr-rgm6-gqmc CVSS_V4

aiohttp: HTTP/1 Pipelined Requests Queue Without Limit

Published: 2026-06-15 Fixed in: 3.14.1

GHSA-4m7w-qmgq-4wj5 CVSS_V4

aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections

Published: 2026-06-15 Fixed in: 3.14.1

GHSA-54jq-c3m8-4m76 CVSS_V4

AIOHTTP vulnerable to brute-force leak of internal static ﬁle path components

Published: 2026-01-05 Fixed in: 3.13.3

GHSA-5h86-8mv2-jq9f CVSS_V3

aiohttp is vulnerable to directory traversal

Published: 2024-01-29 Fixed in: 3.9.2

GHSA-5m98-qgg9-wh84 CVSS_V3

aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests

Published: 2024-05-03 Fixed in: 3.9.4

aiohttp