VulnerableCode Package Details - pkg:deb/debian/python-aiohttp@3.9.5-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-bhkk-2b7c-wfgr	aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests ### Summary An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. ### Impact An attacker can stop the application from serving requests after sending a single request. ------- For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in `_read_chunk_from_length()`): ```diff diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py index 227be605c..71fc2654a 100644 --- a/aiohttp/multipart.py +++ b/aiohttp/multipart.py @@ -338,6 +338,8 @@ class BodyPartReader: assert self._length is not None, "Content-Length required for chunked read" chunk_size = min(size, self._length - self._read_bytes) chunk = await self._content.read(chunk_size) + if self._content.at_eof(): + self._at_eof = True return chunk async def _read_chunk_from_stream(self, size: int) -> bytes: ``` This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in: https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19 https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597 https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866	CVE-2024-30251 GHSA-5m98-qgg9-wh84
VCID-jxqg-x9dh-z3hb	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.	CVE-2024-23829 GHSA-8qpw-xqxj-h4r2 PYSEC-2024-26
VCID-pqus-ew4j-k7da	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.	CVE-2024-23334 GHSA-5h86-8mv2-jq9f PYSEC-2024-24
VCID-tn28-662n-vug8	aiohttp Cross-site Scripting vulnerability on index pages for static file handling ### Summary A XSS vulnerability exists on index pages for static file handling. ### Details When using `web.static(..., show_index=True)`, the resulting index pages do not escape file names. If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks. ### Workaround We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. ----- Patch: https://github.com/aio-libs/aiohttp/pull/8319/files	CVE-2024-27306 GHSA-7gpw-8wmc-pm8g

Vulnerability

Summary

Aliases

VCID-bhkk-2b7c-wfgr

aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests ### Summary An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. ### Impact An attacker can stop the application from serving requests after sending a single request. ------- For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in `_read_chunk_from_length()`): ```diff diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py index 227be605c..71fc2654a 100644 --- a/aiohttp/multipart.py +++ b/aiohttp/multipart.py @@ -338,6 +338,8 @@ class BodyPartReader: assert self._length is not None, "Content-Length required for chunked read" chunk_size = min(size, self._length - self._read_bytes) chunk = await self._content.read(chunk_size) + if self._content.at_eof(): + self._at_eof = True return chunk async def _read_chunk_from_stream(self, size: int) -> bytes: ``` This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in: https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19 https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597 https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866

CVE-2024-30251
GHSA-5m98-qgg9-wh84

VCID-jxqg-x9dh-z3hb

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.

CVE-2024-23829
GHSA-8qpw-xqxj-h4r2
PYSEC-2024-26

VCID-pqus-ew4j-k7da

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

CVE-2024-23334
GHSA-5h86-8mv2-jq9f
PYSEC-2024-24

VCID-tn28-662n-vug8

aiohttp Cross-site Scripting vulnerability on index pages for static file handling ### Summary A XSS vulnerability exists on index pages for static file handling. ### Details When using `web.static(..., show_index=True)`, the resulting index pages do not escape file names. If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks. ### Workaround We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. ----- Patch: https://github.com/aio-libs/aiohttp/pull/8319/files

CVE-2024-27306
GHSA-7gpw-8wmc-pm8g

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:18:20.476894+00:00	Debian Importer	Fixing	VCID-bhkk-2b7c-wfgr	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T13:15:49.981295+00:00	Debian Importer	Fixing	VCID-pqus-ew4j-k7da	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T09:09:58.448328+00:00	Debian Importer	Fixing	VCID-bhkk-2b7c-wfgr	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T09:08:03.580397+00:00	Debian Importer	Fixing	VCID-pqus-ew4j-k7da	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:50:35.425124+00:00	Debian Importer	Fixing	VCID-bhkk-2b7c-wfgr	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:35.364290+00:00	Debian Importer	Fixing	VCID-tn28-662n-vug8	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:35.298216+00:00	Debian Importer	Fixing	VCID-jxqg-x9dh-z3hb	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:35.226831+00:00	Debian Importer	Fixing	VCID-pqus-ew4j-k7da	https://security-tracker.debian.org/tracker/data/json	38.1.0