PyPI: aiohttp

CVE-2026-34525

Safety vulnerability ID: SFTY-20260401-02448

Safety legacy ID: pyup.io-91428

Affected versions of the aiohttp package are vulnerable to HTTP Request Smuggling due to the acceptance of duplicate Host headers in incoming HTTP requests. The C extension HTTP parser failed to reject duplicate singleton headers such as Host, Content-Type, and Content-Length, creating parser differentials between the C and pure-Python implementations that could lead to inconsistent request interpretation. An attacker could send a crafted HTTP request containing multiple Host headers to bypass host-based access controls or poison routing decisions in upstream proxies and intermediaries.

PythonPyPINVDNVDGitHubGHSA
Created at: Apr 16, 2026Updated at: Apr 16, 2026

Overview

AIOHTTP accepts duplicate Host headers

Advisory

Affected versions of the aiohttp package are vulnerable to HTTP Request Smuggling due to the acceptance of duplicate Host headers in incoming HTTP requests. The C extension HTTP parser failed to reject duplicate singleton headers such as Host, Content-Type, and Content-Length, creating parser differentials between the C and pure-Python implementations that could lead to inconsistent request interpretation. An attacker could send a crafted HTTP request containing multiple Host headers to bypass host-based access controls or poison routing decisions in upstream proxies and intermediaries.

Affected Package

Affecting aiohttp package, versions
<3.13.4

Also affects

---

How to Fix

Upgrade
aiohttp
to
3.13.4
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more