CRITICAL 9.1

GHSA-63hf-3vf5-4wqf

AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

Details

### Summary

The C parser (the default for most installs) accepted null bytes and control characters is response headers.

### Impact

An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, `request.url.origin()` may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiohttp

Introduced in: 0 Fixed in: 3.13.4

Fix pip install --upgrade 'aiohttp>=3.13.4'

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-34520 [ADVISORY]
https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4 [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4 [WEB]