MEDIUM 6.4

GHSA-jg22-mg44-37j8

AIOHTTP is Vulnerable to Deserialization of Untrusted Data

Details

### Summary

Using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution.

### Impact

Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.

### Workaround

If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00

Enter the version of the package you're using.

Introduced in: 0 Fixed in: 3.14.0

Fix pip install --upgrade 'aiohttp>=3.14.0'