LOW

GHSA-m6qw-4cw2-hm4m

aiohttp: CRLF injection in multipart headers

Details

### Summary

Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar.

### Impact

In the unlikely situation that an application is passing user-controlled strings into `MultipartWriter.append(headers=...)` or `Payload.headers`, then an attacker may be able to modify the request to inject headers or change the contents of the request.

### Workaround

Sanitise such user input.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiohttp

Introduced in: 0 Fixed in: 3.14.0

Fix pip install --upgrade 'aiohttp>=3.14.0'

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m6qw-4cw2-hm4m [WEB]
https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8 [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]