Search for packages
| purl | pkg:deb/debian/python-aiohttp@0?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-dr2r-7qda-tfh5 |
CVE-2026-34515
GHSA-p998-jp59-783m |
|
| VCID-ekqy-23wg-5ugu | In aiohttp, compressed files as symlinks are not protected from path traversal ### Summary Static routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links. ### Details The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file. ### Impact Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted. ---- Patch: https://github.com/aio-libs/aiohttp/pull/8653/files |
CVE-2024-42367
GHSA-jwhx-xcg6-8xhj |
| VCID-q4yf-6qbe-5fee | aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method ### Summary A memory leak can occur when a request produces a `MatchInfoError`. This was caused by adding an entry to a cache on each request, due to the building of each `MatchInfoError` producing a unique cache entry. ### Impact If the user is making use of any middlewares with `aiohttp.web` then it is advisable to upgrade immediately. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. ----- Patch: https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936 |
CVE-2024-52303
GHSA-27mf-ghqm-j3j8 |
| VCID-ttq3-65ny-skdg | aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser ### Impact aiohttp v3.8.4 and earlier are [bundled with llhttp v6.0.6](https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules) which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). ### Reproducer ```python from aiohttp import web async def example(request: web.Request): headers = dict(request.headers) body = await request.content.read() return web.Response(text=f"headers: {headers} body: {body}") app = web.Application() app.add_routes([web.post('/', example)]) web.run_app(app) ``` Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. ```console $ printf "POST / HTTP/1.1\r\nHost: localhost:8080\r\nX-Abc: \rxTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\n0\r\n\r\n" \ | nc localhost 8080 Expected output: headers: {'Host': 'localhost:8080', 'X-Abc': '\rxTransfer-Encoding: chunked'} body: b'' Actual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently) headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A' ``` ### Patches Upgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: [`pip install aiohttp >= 3.8.5`](https://pypi.org/project/aiohttp/3.8.5/) ### Workarounds If you aren't able to upgrade you can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling: ```console $ python -m pip uninstall --yes aiohttp $ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp ``` ### References * https://nvd.nist.gov/vuln/detail/CVE-2023-30589 * https://hackerone.com/reports/2001873 |
CVE-2023-37276
GHSA-45c4-8wx5-qw6w PYSEC-2023-120 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-16T13:19:51.726966+00:00 | Debian Importer | Fixing | VCID-dr2r-7qda-tfh5 | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T09:37:05.831388+00:00 | Debian Importer | Fixing | VCID-q4yf-6qbe-5fee | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-13T09:11:12.066298+00:00 | Debian Importer | Fixing | VCID-dr2r-7qda-tfh5 | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-11T18:24:10.781026+00:00 | Debian Importer | Fixing | VCID-q4yf-6qbe-5fee | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-03T07:50:36.031974+00:00 | Debian Importer | Fixing | VCID-dr2r-7qda-tfh5 | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-03T07:50:35.516941+00:00 | Debian Importer | Fixing | VCID-q4yf-6qbe-5fee | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-03T07:50:35.461438+00:00 | Debian Importer | Fixing | VCID-ekqy-23wg-5ugu | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-03T07:50:34.928765+00:00 | Debian Importer | Fixing | VCID-ttq3-65ny-skdg | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |