Aiohttp
Monthly
Arbitrary code execution in the aiohttp Python framework (versions prior to 3.14.0) arises when CookieJar.load() deserializes an attacker-controlled file, classed as CWE-502 unsafe deserialization. An attacker who can plant or substitute the persisted cookie file and induce the application to load it gains code execution in the host process. There is no public exploit identified at time of analysis, EPSS is very low (0.06%), and CISA SSVC rates exploitation as none - consistent with the library's own note that the function is normally used on the user's own trusted data.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. [CVSS 7.5 HIGH]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. [CVSS 7.5 HIGH]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. [CVSS 6.5 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. [CVSS 7.5 HIGH]
AIOHTTP versions prior to 3.12.14 contain a request smuggling vulnerability in the Python parser that fails to properly parse HTTP trailer sections, allowing attackers to bypass firewalls and proxy protections when the pure Python implementation is used. This vulnerability affects deployments running AIOHTTP without C extensions or with AIOHTTP_NO_EXTENSIONS enabled, enabling HTTP request smuggling attacks with high integrity impact. The vulnerability has a CVSS score of 7.5 (High) and is unauthenticated, network-accessible, and requires no user interaction.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.
py3-aiohttp in Alpine Linux received a security fix packaged as version 3.14.1-r0. The nature of the underlying vulnerability - its attack vector, impact, and exploitation conditions - is not described in the available intelligence. This CVE record is minimal: only the affected package name and the Alpine Linux fix version are confirmed. Security teams should consult the upstream aiohttp changelog and Alpine Linux security advisories for the actual vulnerability details before assessing risk.
Arbitrary code execution in the aiohttp Python framework (versions prior to 3.14.0) arises when CookieJar.load() deserializes an attacker-controlled file, classed as CWE-502 unsafe deserialization. An attacker who can plant or substitute the persisted cookie file and induce the application to load it gains code execution in the host process. There is no public exploit identified at time of analysis, EPSS is very low (0.06%), and CISA SSVC rates exploitation as none - consistent with the library's own note that the function is normally used on the user's own trusted data.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. [CVSS 7.5 HIGH]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. [CVSS 7.5 HIGH]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. [CVSS 6.5 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. [CVSS 7.5 HIGH]
AIOHTTP versions prior to 3.12.14 contain a request smuggling vulnerability in the Python parser that fails to properly parse HTTP trailer sections, allowing attackers to bypass firewalls and proxy protections when the pure Python implementation is used. This vulnerability affects deployments running AIOHTTP without C extensions or with AIOHTTP_NO_EXTENSIONS enabled, enabling HTTP request smuggling attacks with high integrity impact. The vulnerability has a CVSS score of 7.5 (High) and is unauthenticated, network-accessible, and requires no user interaction.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.
py3-aiohttp in Alpine Linux received a security fix packaged as version 3.14.1-r0. The nature of the underlying vulnerability - its attack vector, impact, and exploitation conditions - is not described in the available intelligence. This CVE record is minimal: only the affected package name and the Alpine Linux fix version are confirmed. Security teams should consult the upstream aiohttp changelog and Alpine Linux security advisories for the actual vulnerability details before assessing risk.