CVE-2026-34519

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

Low

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Unchanged

Affected products

aio-libs / aiohttp< 3.13.4 – < 3.13.4

References

VENDOR_ADVISORYhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-mwh4-6h8g-pg8w
PATCHhttps://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b
PATCHhttps://github.com/aio-libs/aiohttp/releases/tag/v3.13.4