EUVD-2026-18046
GHSA-63hf-3vf5-4wqf
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 127 pypi packages depend on aiohttp (38 direct, 89 indirect)
Ecosystem-wide dependent count for version 3.13.4.
DescriptionNVD
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.
AnalysisAI
AIOHTTP's C parser accepts null bytes and control characters in HTTP response headers prior to version 3.13.4, allowing remote attackers to inject malformed headers that bypass validation and cause information disclosure. This vulnerability affects all versions before 3.13.4 and has been patched upstream; exploitation requires no authentication or user interaction but results in limited integrity impact to response headers rather than confidentiality breach.
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today