PyPI: aiohttp

CVE-2026-34518

Safety vulnerability ID: SFTY-20260401-07769

Safety legacy ID: pyup.io-91425

Affected versions of the aiohttp package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects. When following a redirect to a different origin, the library correctly strips the Authorization header but fails to remove the Cookie and Proxy-Authorization headers, allowing them to be forwarded to the unintended destination. An attacker controlling or observing the redirect target can capture these leaked credentials and session tokens, potentially gaining unauthorised access to user accounts or upstream proxies.

PythonPyPINVDNVDGitHubGHSA
Created at: Apr 24, 2026Updated at: Apr 24, 2026

Overview

AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect

Advisory

Affected versions of the aiohttp package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects. When following a redirect to a different origin, the library correctly strips the Authorization header but fails to remove the Cookie and Proxy-Authorization headers, allowing them to be forwarded to the unintended destination. An attacker controlling or observing the redirect target can capture these leaked credentials and session tokens, potentially gaining unauthorised access to user accounts or upstream proxies.

Affected Package

Affecting aiohttp package, versions
<=3.13.3

Also affects

---

How to Fix

Upgrade
aiohttp
to
3.13.4
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more