VulnerableCode Package Details - pkg:deb/debian/python-aiohttp@3.10.11-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-q4yf-6qbe-5fee	aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method ### Summary A memory leak can occur when a request produces a `MatchInfoError`. This was caused by adding an entry to a cache on each request, due to the building of each `MatchInfoError` producing a unique cache entry. ### Impact If the user is making use of any middlewares with `aiohttp.web` then it is advisable to upgrade immediately. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. ----- Patch: https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936	CVE-2024-52303 GHSA-27mf-ghqm-j3j8
VCID-zrgm-47ph-x3g3	aiohttp allows request smuggling due to incorrect parsing of chunk extensions ### Summary The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ----- Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71	CVE-2024-52304 GHSA-8495-4g3g-x7pr

Vulnerability

Summary

Aliases

VCID-q4yf-6qbe-5fee

aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method ### Summary A memory leak can occur when a request produces a `MatchInfoError`. This was caused by adding an entry to a cache on each request, due to the building of each `MatchInfoError` producing a unique cache entry. ### Impact If the user is making use of any middlewares with `aiohttp.web` then it is advisable to upgrade immediately. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. ----- Patch: https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936

CVE-2024-52303
GHSA-27mf-ghqm-j3j8

VCID-zrgm-47ph-x3g3

aiohttp allows request smuggling due to incorrect parsing of chunk extensions ### Summary The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ----- Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

CVE-2024-52304
GHSA-8495-4g3g-x7pr

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:20:47.932382+00:00	Debian Importer	Fixing	VCID-zrgm-47ph-x3g3	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:37:05.850426+00:00	Debian Importer	Fixing	VCID-q4yf-6qbe-5fee	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:43:25.803155+00:00	Debian Importer	Fixing	VCID-zrgm-47ph-x3g3	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:24:10.802269+00:00	Debian Importer	Fixing	VCID-q4yf-6qbe-5fee	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:50:35.599903+00:00	Debian Importer	Fixing	VCID-zrgm-47ph-x3g3	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:35.541928+00:00	Debian Importer	Fixing	VCID-q4yf-6qbe-5fee	https://security-tracker.debian.org/tracker/data/json	38.1.0