PyPI: aiohttp
CVE-2026-34520
Safety vulnerability ID: SFTY-20260401-63930
Safety legacy ID: pyup.io-91427
Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to the default C parser (llhttp) accepting null bytes and control characters in response header values. Specifically, the parser fails to neutralise CRLF sequences and other control characters before including them in outgoing HTTP headers, which means methods such as request.url.origin() may return values that differ from the raw Host header or from what a reverse proxy interpreted. An attacker can craft malicious response headers containing embedded control characters to trigger inconsistent header interpretation, potentially leading to a Security Bypass.
Overview
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
Advisory
Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to the default C parser (llhttp) accepting null bytes and control characters in response header values. Specifically, the parser fails to neutralise CRLF sequences and other control characters before including them in outgoing HTTP headers, which means methods such as request.url.origin() may return values that differ from the raw Host header or from what a reverse proxy interpreted. An attacker can craft malicious response headers containing embedded control characters to trigger inconsistent header interpretation, potentially leading to a Security Bypass.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260401-63930/CVE-2026-34520
- https://data.safetycli.com/changelogs/aiohttp/
- https://github.com/advisories/GHSA-63hf-3vf5-4wqf
- https://pypi.org/project/aiohttp
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf
- https://nvd.nist.gov/vuln/detail/CVE-2026-34520
- https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
- https://github.com/advisories/GHSA-63hf-3vf5-4wqf
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more