LOW

GHSA-4m7w-qmgq-4wj5

aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections

Details

### Summary

The `server_hostname` TLS SNI check can be bypassed when an existing connection is reused.

### Impact

If an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check.

### Workaround

Disable keep_alive if you need to change the `server_hostname` check between requests.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/0ca2b6c28a25726527a8b60f25960262a91ed0e0

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiohttp

Introduced in: 0 Fixed in: 3.14.1

Fix pip install --upgrade 'aiohttp>=3.14.1'

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-4m7w-qmgq-4wj5 [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]