PyPI: aiohttp

CVE-2026-34519

Safety vulnerability ID: SFTY-20260401-70250

Safety legacy ID: pyup.io-91426

Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to improper neutralisation of carriage return characters in the reason phrase of HTTP responses. The Response class does not sanitise the reason parameter, allowing injection of CRLF sequences that can manipulate outgoing HTTP headers. An attacker who controls the reason parameter can inject arbitrary headers into the HTTP response, potentially enabling cache poisoning or response manipulation.

PythonPyPINVDNVDGitHubGHSA
Created at: Apr 16, 2026Updated at: Apr 16, 2026

Overview

AIOHTTP has HTTP response splitting via \r in reason phrase

Advisory

Affected versions of the aiohttp package are vulnerable to HTTP Response Splitting due to improper neutralisation of carriage return characters in the reason phrase of HTTP responses. The Response class does not sanitise the reason parameter, allowing injection of CRLF sequences that can manipulate outgoing HTTP headers. An attacker who controls the reason parameter can inject arbitrary headers into the HTTP response, potentially enabling cache poisoning or response manipulation.

Affected Package

Affecting aiohttp package, versions
<=3.13.3

Also affects

---

How to Fix

Upgrade
aiohttp
to
3.13.4
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more