PyPI: aiohttp

CVE-2021-21330

Safety vulnerability ID: SFTY-20210226-47030

Safety legacy ID: pyup.io-39659

Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

PythonPyPINVDNVDGitHubGHSA
Created at: May 21, 2026Updated at: May 21, 2026

Overview

`aiohttp` Open Redirect vulnerability (`normalize_path_middleware` middleware)

Advisory

Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg

Affected Package

Affecting aiohttp package, versions
<3.7.4

Also affects

---

How to Fix

Upgrade
aiohttp
to
3.7.4
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more