HIGH 7.5 PyPI
GHSA-27mf-ghqm-j3j8 · CVE-2024-52303 aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method
Modified: 2/4/2026
package
PyPI / aiohttp
pkg:pypi/aiohttp
LOW PyPI
GHSA-2fqr-mr3j-6wp8 · CVE-2026-54279 aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
Modified: 6/15/2026
LOW PyPI
GHSA-2vrm-gr82-f7m5 · CVE-2026-34514 AIOHTTP has CRLF injection through multipart part content type header construction
Modified: 4/6/2026
LOW PyPI
GHSA-3wq7-rqq7-wx6j · CVE-2026-34517 AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
Modified: 4/2/2026
MEDIUM 5.3 PyPI
GHSA-45c4-8wx5-qw6w · CVE-2023-37276, PYSEC-2023-120 aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
Modified: 9/3/2024
MEDIUM PyPI
GHSA-4fvr-rgm6-gqmc · CVE-2026-54273 aiohttp: HTTP/1 Pipelined Requests Queue Without Limit
Modified: 6/15/2026
LOW PyPI
GHSA-4m7w-qmgq-4wj5 · CVE-2026-54275 aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
Modified: 6/15/2026
LOW PyPI
GHSA-54jq-c3m8-4m76 · CVE-2025-69226 AIOHTTP vulnerable to brute-force leak of internal static file path components
Modified: 2/4/2026
MEDIUM 5.9 PyPI
GHSA-5h86-8mv2-jq9f · CVE-2024-23334, PYSEC-2024-24 aiohttp is vulnerable to directory traversal
Modified: 2/4/2026
HIGH 7.5 PyPI
GHSA-5m98-qgg9-wh84 · CVE-2024-30251 aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
Modified: 2/4/2026
CRITICAL 9.1 PyPI
GHSA-63hf-3vf5-4wqf · CVE-2026-34520 AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
Modified: 4/6/2026
MEDIUM PyPI
GHSA-63hw-fmq6-xxg2 · CVE-2026-54277 aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines
Modified: 6/15/2026
LOW PyPI
GHSA-69f9-5gxw-wvc2 · CVE-2025-69224 AIOHTTP's unicode processing of header values could cause parsing discrepancies
Modified: 2/4/2026
MEDIUM PyPI
GHSA-6jhg-hg63-jvvf · CVE-2025-69228 AIOHTTP vulnerable to denial of service through large payloads
Modified: 2/4/2026
HIGH 7.5 PyPI
GHSA-6mq8-rvhq-8wgg · CVE-2025-69223 AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
Modified: 2/4/2026
MEDIUM 6.1 PyPI
GHSA-7gpw-8wmc-pm8g · CVE-2024-27306 aiohttp Cross-site Scripting vulnerability on index pages for static file handling
Modified: 2/4/2026
MEDIUM PyPI
GHSA-8495-4g3g-x7pr · CVE-2024-52304 aiohttp allows request smuggling due to incorrect parsing of chunk extensions
Modified: 2/4/2026
MEDIUM 6.5 PyPI
GHSA-8qpw-xqxj-h4r2 · CVE-2024-23829, PYSEC-2024-26 aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
Modified: 2/4/2026
LOW PyPI
GHSA-9548-qrrj-x5pj · CVE-2025-53643 AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
Modified: 2/4/2026
MEDIUM 5.3 PyPI
GHSA-966j-vmvw-g2g9 · CVE-2026-34518 AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
Modified: 5/5/2026
LOW PyPI
GHSA-9x8q-7h8h-wcw9 · CVE-2026-54280 aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect
Modified: 6/15/2026
MEDIUM PyPI
GHSA-c427-h43c-vf67 · CVE-2026-34525 AIOHTTP accepts duplicate Host headers
Modified: 4/2/2026
LOW PyPI
GHSA-fh55-r93g-j68g · CVE-2025-69230 AIOHTTP Vulnerable to Cookie Parser Warning Storm
Modified: 2/4/2026
MEDIUM PyPI
GHSA-g3cq-j2xw-wf74 · CVE-2026-54278 aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup
Modified: 6/15/2026
MEDIUM PyPI
GHSA-g84x-mcqj-x9qq · CVE-2025-69229 AIOHTTP vulnerable to DoS through chunked messages
Modified: 2/4/2026
MEDIUM 5.3 PyPI
GHSA-gfw2-4jvh-wgfg · CVE-2023-47627, PYSEC-2023-246 AIOHTTP has problems in HTTP parser (the python one, not llhttp)
Modified: 2/4/2026
LOW PyPI
GHSA-hcc4-c3v8-rx92 · CVE-2026-34513 AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
Modified: 4/6/2026
MEDIUM PyPI
GHSA-hg6j-4rv6-33pg · CVE-2026-47265 AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
Modified: 6/4/2026
MEDIUM PyPI
GHSA-hpj7-wq8m-9hgp · CVE-2026-54276 aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
Modified: 6/15/2026
MEDIUM 6.4 PyPI
GHSA-jg22-mg44-37j8 · CVE-2026-34993 AIOHTTP is Vulnerable to Deserialization of Untrusted Data
Modified: 6/4/2026
MEDIUM PyPI
GHSA-jj3x-wxrx-4x23 · CVE-2025-69227 AIOHTTP vulnerable to DoS when bypassing asserts
Modified: 2/4/2026
MEDIUM 4.8 PyPI
GHSA-jwhx-xcg6-8xhj · CVE-2024-42367 In aiohttp, compressed files as symlinks are not protected from path traversal
Modified: 2/4/2026
HIGH 7.5 PyPI
GHSA-m5qp-6w8w-w647 · CVE-2026-34516 AIOHTTP has a Multipart Header Size Bypass
Modified: 4/6/2026
LOW PyPI
GHSA-m6qw-4cw2-hm4m · CVE-2026-50269 aiohttp: CRLF injection in multipart headers
Modified: 6/15/2026
LOW PyPI
GHSA-mqqc-3gqh-h2x8 · CVE-2025-69225 AIOHTTP has unicode match groups in regexes for ASCII protocol elements
Modified: 2/4/2026
LOW PyPI
GHSA-mwh4-6h8g-pg8w · CVE-2026-34519 AIOHTTP has HTTP response splitting via \r in reason phrase
Modified: 4/2/2026
MEDIUM PyPI
GHSA-p998-jp59-783m · CVE-2026-34515 AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
Modified: 4/6/2026
MEDIUM PyPI
GHSA-pjjw-qhg8-p2p9 aiohttp has vulnerable dependency that is vulnerable to request smuggling
Modified: 2/4/2026
HIGH 7.2 PyPI
GHSA-q3qx-c6g2-7pw2 · CVE-2023-49081, PYSEC-2023-250 aiohttp's ClientSession is vulnerable to CRLF injection via version
Modified: 2/4/2026
MEDIUM 5.3 PyPI
GHSA-qvrw-v9rv-5rjx · CVE-2023-49082, PYSEC-2023-251 aiohttp's ClientSession is vulnerable to CRLF injection via method
Modified: 2/4/2026
LOW 3.1 PyPI
GHSA-v6wp-4m6f-gcjg · CVE-2021-21330, PYSEC-2021-76 `aiohttp` Open Redirect vulnerability (`normalize_path_middleware` middleware)
Modified: 3/13/2026
MEDIUM PyPI
GHSA-w2fm-2cpv-w7v5 · CVE-2026-22815 aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
Modified: 4/6/2026
MEDIUM PyPI
GHSA-xcgm-r5h9-7989 · CVE-2026-54274 aiohttp: Incomplete websocket frame payloads bypass memory limits
Modified: 6/15/2026
LOW 3.4 PyPI
GHSA-xx9p-xxvh-7g8j · CVE-2023-47641, PYSEC-2023-247 Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks
Modified: 11/3/2025
— PyPI
PYSEC-2021-76 · CVE-2021-21330, GHSA-v6wp-4m6f-gcjg Modified: 11/8/2023
— PyPI
PYSEC-2023-120 · CVE-2023-37276, GHSA-45c4-8wx5-qw6w aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
Modified: 11/8/2023
HIGH 7.5 PyPI
PYSEC-2023-246 · CVE-2023-47627, GHSA-gfw2-4jvh-wgfg Modified: 11/22/2023
MEDIUM 6.5 PyPI
PYSEC-2023-247 · CVE-2023-47641, GHSA-xx9p-xxvh-7g8j Modified: 11/22/2023
MEDIUM 5.3 PyPI
PYSEC-2023-250 · CVE-2023-49081, GHSA-q3qx-c6g2-7pw2 Modified: 1/29/2024
MEDIUM 5.3 PyPI
PYSEC-2023-251 · CVE-2023-49082, GHSA-qvrw-v9rv-5rjx Modified: 1/29/2024
HIGH 7.5 PyPI
PYSEC-2024-24 · CVE-2024-23334, GHSA-5h86-8mv2-jq9f Modified: 2/5/2024
MEDIUM 6.5 PyPI
PYSEC-2024-26 · CVE-2024-23829, GHSA-8qpw-xqxj-h4r2 Modified: 2/6/2024