rpm package
opensuse/python-aiohttp&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Tumbleweed
Vulnerabilities (26)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-54275 | low | — | < 3.14.1-1.1 | 3.14.1-1.1 | Jun 15, 2026 | ### Summary The `server_hostname` TLS SNI check can be bypassed when an existing connection is reused. ### Impact If an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by reus | |
| CVE-2026-54273 | — | < 3.14.1-1.1 | 3.14.1-1.1 | Jun 15, 2026 | ### Summary No limit was present on the number of pipelined requests that could be queued. ### Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dfd | ||
| CVE-2026-54277 | — | < 3.14.1-1.1 | 3.14.1-1.1 | Jun 15, 2026 | ### Summary It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. ### Impact If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an exces | ||
| CVE-2026-54279 | low | — | < 3.14.1-1.1 | 3.14.1-1.1 | Jun 15, 2026 | ### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disall | |
| CVE-2026-50269 | low | — | < 3.14.1-1.1 | 3.14.1-1.1 | Jun 15, 2026 | ### Summary Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. ### Impact In the unlikely situation that an application is passing user-controlled strings into `MultipartWriter.append(heade | |
| CVE-2026-34993 | Med | 6.4 | < 3.14.0-1.1 | 3.14.0-1.1 | Jun 2, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is | |
| CVE-2026-34520 | Cri | 9.1 | < 3.13.5-3.1 | 3.13.5-3.1 | Apr 1, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4. | |
| CVE-2026-34516 | Hig | 7.5 | < 3.13.5-3.1 | 3.13.5-3.1 | Apr 1, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched | |
| CVE-2026-34514 | Med | 5.3 | < 3.13.5-2.1 | 3.13.5-2.1 | Apr 1, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4. | |
| CVE-2025-69230 | — | < 3.13.3-1.1 | 3.13.3-1.1 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w | ||
| CVE-2025-69229 | — | < 3.13.3-1.1 | 3.13.3-1.1 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method | ||
| CVE-2025-69228 | — | < 3.13.3-1.1 | 3.13.3-1.1 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ | ||
| CVE-2025-69227 | — | < 3.13.3-1.1 | 3.13.3-1.1 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI | ||
| CVE-2025-69225 | — | < 3.13.3-1.1 | 3.13.3-1.1 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi | ||
| CVE-2025-69226 | — | < 3.13.3-1.1 | 3.13.3-1.1 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica | ||
| CVE-2025-69224 | — | < 3.13.3-1.1 | 3.13.3-1.1 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u | ||
| CVE-2025-69223 | — | < 3.13.3-1.1 | 3.13.3-1.1 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust | ||
| CVE-2024-12254 | Hig | 7.5 | < 3.11.16-1.1 | 3.11.16-1.1 | Dec 6, 2024 | Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain | |
| CVE-2024-52303 | — | < 3.11.9-1.1 | 3.11.9-1.1 | Nov 18, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the build | ||
| CVE-2024-42367 | — | < 3.10.5-1.1 | 3.10.5-1.1 | Aug 9, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director |
- affected < 3.14.1-1.1fixed 3.14.1-1.1
### Summary The `server_hostname` TLS SNI check can be bypassed when an existing connection is reused. ### Impact If an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by reus
- CVE-2026-54273Jun 15, 2026affected < 3.14.1-1.1fixed 3.14.1-1.1
### Summary No limit was present on the number of pipelined requests that could be queued. ### Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dfd
- CVE-2026-54277Jun 15, 2026affected < 3.14.1-1.1fixed 3.14.1-1.1
### Summary It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. ### Impact If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an exces
- affected < 3.14.1-1.1fixed 3.14.1-1.1
### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disall
- affected < 3.14.1-1.1fixed 3.14.1-1.1
### Summary Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. ### Impact In the unlikely situation that an application is passing user-controlled strings into `MultipartWriter.append(heade
- affected < 3.14.0-1.1fixed 3.14.0-1.1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is
- affected < 3.13.5-3.1fixed 3.13.5-3.1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.
- affected < 3.13.5-3.1fixed 3.13.5-3.1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched
- affected < 3.13.5-2.1fixed 3.13.5-2.1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
- CVE-2025-69230Jan 5, 2026affected < 3.13.3-1.1fixed 3.13.3-1.1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w
- CVE-2025-69229Jan 5, 2026affected < 3.13.3-1.1fixed 3.13.3-1.1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method
- CVE-2025-69228Jan 5, 2026affected < 3.13.3-1.1fixed 3.13.3-1.1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ
- CVE-2025-69227Jan 5, 2026affected < 3.13.3-1.1fixed 3.13.3-1.1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI
- CVE-2025-69225Jan 5, 2026affected < 3.13.3-1.1fixed 3.13.3-1.1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi
- CVE-2025-69226Jan 5, 2026affected < 3.13.3-1.1fixed 3.13.3-1.1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica
- CVE-2025-69224Jan 5, 2026affected < 3.13.3-1.1fixed 3.13.3-1.1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u
- CVE-2025-69223Jan 5, 2026affected < 3.13.3-1.1fixed 3.13.3-1.1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust
- affected < 3.11.16-1.1fixed 3.11.16-1.1
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain
- CVE-2024-52303Nov 18, 2024affected < 3.11.9-1.1fixed 3.11.9-1.1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the build
- CVE-2024-42367Aug 9, 2024affected < 3.10.5-1.1fixed 3.10.5-1.1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director
Page 1 of 2