Skip to main content

Aiohttp

23 CVEs product

Monthly

CVE-2026-34993 PyPI HIGH PATCH GHSA This Week

Arbitrary code execution in the aiohttp Python framework (versions prior to 3.14.0) arises when CookieJar.load() deserializes an attacker-controlled file, classed as CWE-502 unsafe deserialization. An attacker who can plant or substitute the persisted cookie file and induce the application to load it gains code execution in the host process. There is no public exploit identified at time of analysis, EPSS is very low (0.06%), and CISA SSVC rates exploitation as none - consistent with the library's own note that the function is normally used on the user's own trusted data.

RCE Deserialization Python Aiohttp
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-69230 PyPI MEDIUM PATCH This Month

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. [CVSS 5.3 MEDIUM]

Python Aiohttp Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-69229 PyPI MEDIUM PATCH This Month

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. [CVSS 5.3 MEDIUM]

Python Denial Of Service Aiohttp Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-69228 PyPI HIGH PATCH This Week

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. [CVSS 7.5 HIGH]

Python Aiohttp Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69227 PyPI HIGH PATCH This Week

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. [CVSS 7.5 HIGH]

Python Denial Of Service Aiohttp Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69225 PyPI MEDIUM PATCH This Month

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. [CVSS 5.3 MEDIUM]

Python Aiohttp Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-69226 PyPI MEDIUM PATCH This Month

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. [CVSS 5.3 MEDIUM]

Python Path Traversal Aiohttp Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-69224 PyPI MEDIUM PATCH This Month

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. [CVSS 6.5 MEDIUM]

Python Aiohttp Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69223 PyPI HIGH PATCH This Week

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. [CVSS 7.5 HIGH]

Python Aiohttp Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-53643 PyPI HIGH PATCH This Week

AIOHTTP versions prior to 3.12.14 contain a request smuggling vulnerability in the Python parser that fails to properly parse HTTP trailer sections, allowing attackers to bypass firewalls and proxy protections when the pure Python implementation is used. This vulnerability affects deployments running AIOHTTP without C extensions or with AIOHTTP_NO_EXTENSIONS enabled, enabling HTTP request smuggling attacks with high integrity impact. The vulnerability has a CVSS score of 7.5 (High) and is unauthenticated, network-accessible, and requires no user interaction.

Python Authentication Bypass Aiohttp Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-52304 PyPI MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Authentication Bypass Python Request Smuggling Aiohttp
NVD GitHub
CVSS 4.0
6.3
EPSS
0.6%
CVE-2024-52303 PyPI HIGH PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Aiohttp
NVD GitHub
CVSS 4.0
8.7
EPSS
0.6%
CVE-2024-42367 PyPI MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Path Traversal Python Aiohttp
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
CVE-2024-30251 PyPI HIGH PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Aiohttp
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2024-27306 PyPI MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Nginx Python Aiohttp Fedora
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2023-49081 PyPI MEDIUM POC PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Python Aiohttp
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.9%
CVE-2023-49082 PyPI MEDIUM POC PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Python Aiohttp
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.9%
CVE-2023-47641 PyPI MEDIUM POC PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Open Redirect Aiohttp
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2023-47627 PyPI HIGH POC PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Information Disclosure Aiohttp
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2023-37276 PyPI HIGH POC PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Information Disclosure Aiohttp
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-33124 MEDIUM POC This Month

AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Aiohttp
NVD GitHub
CVSS 3.1
5.5
EPSS
0.7%
CVE-2021-21330 PyPI MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Aiohttp Debian Linux Fedora
NVD GitHub
CVSS 3.1
6.1
EPSS
1.9%
CVE-2026-50269 PyPI LOW PATCH GHSA Monitor

py3-aiohttp in Alpine Linux received a security fix packaged as version 3.14.1-r0. The nature of the underlying vulnerability - its attack vector, impact, and exploitation conditions - is not described in the available intelligence. This CVE record is minimal: only the affected package name and the Alpine Linux fix version are confirmed. Security teams should consult the upstream aiohttp changelog and Alpine Linux security advisories for the actual vulnerability details before assessing risk.

Information Disclosure Aiohttp
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.0%
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Arbitrary code execution in the aiohttp Python framework (versions prior to 3.14.0) arises when CookieJar.load() deserializes an attacker-controlled file, classed as CWE-502 unsafe deserialization. An attacker who can plant or substitute the persisted cookie file and induce the application to load it gains code execution in the host process. There is no public exploit identified at time of analysis, EPSS is very low (0.06%), and CISA SSVC rates exploitation as none - consistent with the library's own note that the function is normally used on the user's own trusted data.

RCE Deserialization Python +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. [CVSS 5.3 MEDIUM]

Python Aiohttp Red Hat +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. [CVSS 5.3 MEDIUM]

Python Denial Of Service Aiohttp +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. [CVSS 7.5 HIGH]

Python Aiohttp Red Hat +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. [CVSS 7.5 HIGH]

Python Denial Of Service Aiohttp +2
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. [CVSS 5.3 MEDIUM]

Python Aiohttp Red Hat +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. [CVSS 5.3 MEDIUM]

Python Path Traversal Aiohttp +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. [CVSS 6.5 MEDIUM]

Python Aiohttp Red Hat +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. [CVSS 7.5 HIGH]

Python Aiohttp Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

AIOHTTP versions prior to 3.12.14 contain a request smuggling vulnerability in the Python parser that fails to properly parse HTTP trailer sections, allowing attackers to bypass firewalls and proxy protections when the pure Python implementation is used. This vulnerability affects deployments running AIOHTTP without C extensions or with AIOHTTP_NO_EXTENSIONS enabled, enabling HTTP request smuggling attacks with high integrity impact. The vulnerability has a CVSS score of 7.5 (High) and is unauthenticated, network-accessible, and requires no user interaction.

Python Authentication Bypass Aiohttp +2
NVD GitHub
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Authentication Bypass Python Request Smuggling +1
NVD GitHub
EPSS 1% CVSS 8.7
HIGH PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Aiohttp
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Path Traversal Python Aiohttp
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Aiohttp
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Nginx Python +2
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Python Aiohttp
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Python Aiohttp
NVD GitHub VulDB
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Open Redirect +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC This Month

AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Aiohttp
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Aiohttp +2
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

py3-aiohttp in Alpine Linux received a security fix packaged as version 3.14.1-r0. The nature of the underlying vulnerability - its attack vector, impact, and exploitation conditions - is not described in the available intelligence. This CVE record is minimal: only the affected package name and the Alpine Linux fix version are confirmed. Security teams should consult the upstream aiohttp changelog and Alpine Linux security advisories for the actual vulnerability details before assessing risk.

Information Disclosure Aiohttp
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy