Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

aio-libs — Vulnerabilities & Security Advisories 36

Browse all 36 CVE security advisories affecting aio-libs. AI-powered Chinese analysis, POCs, and references for each vulnerability.

aio-libs is a collection of asynchronous Python libraries, primarily serving as the foundational infrastructure for the aiohttp web framework and related tools like aiofiles. These components facilitate high-performance network communication and file I/O in concurrent applications. Historically, the ecosystem has been associated with thirty-six recorded Common Vulnerabilities and Exposures, predominantly involving denial-of-service conditions, improper input validation, and potential remote code execution through crafted HTTP requests or malformed data streams. Notable security characteristics include issues related to header injection and resource exhaustion, reflecting the complexity of handling asynchronous state management. While no single catastrophic incident has defined the project’s history, the cumulative vulnerability count highlights the risks inherent in maintaining complex, low-level networking abstractions. Developers must rigorously audit dependencies and apply patches promptly to mitigate these persistent exposure vectors within their asynchronous Python environments.

Top products by aio-libs: aiohttp aiosmtpd aiodns aiomysql
CVE IDTitleCVSSSeverityPublished
CVE-2026-34525 AIOHTTP: Duplicate Host header accepted — aiohttpCWE-20 5.8 -2026-04-01
CVE-2026-34520 AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass — aiohttpCWE-113 9.1 -2026-04-01
CVE-2026-34519 AIOHTTP: HTTP response splitting via \r in reason phrase — aiohttpCWE-113 6.5 -2026-04-01
CVE-2026-34518 AIOHTTP: Cookie and Proxy-Authorization headers leaked on cross-origin redirect — aiohttpCWE-200 4.3 -2026-04-01
CVE-2026-34517 AIOHTTP: Late size enforcement for non-file multipart fields causes memory DoS — aiohttpCWE-770 7.5 -2026-04-01
CVE-2026-34516 AIOHTTP: Multipart Header Size Bypass — aiohttpCWE-770 7.5 -2026-04-01
CVE-2026-34515 AIOHTTP: UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows — aiohttpCWE-36 5.3 -2026-04-01
CVE-2026-34514 AIOHTTP: CRLF injection in multipart part content type header construction — aiohttpCWE-113 6.5 -2026-04-01
CVE-2026-22815 AIOHTTP: Uncapped memory usage possible through aiohttp allowing unlimited trailer headers — aiohttpCWE-400 7.5 -2026-04-01
CVE-2026-34513 AIOHTTP: Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector — aiohttpCWE-770 7.5AIHighAI2026-04-01
CVE-2025-69230 AIOHTTP Vulnerable to Cookie Parser Warning Storm — aiohttpCWE-779--2026-01-05
CVE-2025-69229 AIOHTTP vulnerable to DoS through chunked messages — aiohttpCWE-770 7.5 -2026-01-05
CVE-2025-69228 AIOHTTP vulnerable to denial of service through large payloads — aiohttpCWE-770 7.5 -2026-01-05
CVE-2025-69227 AIOHTTP vulnerable to DoS when bypassing asserts — aiohttpCWE-835 7.5 -2026-01-05
CVE-2025-69225 AIOHTTP Regex Mismatch Allows Unicode in ASCII-Only Protocol Fields — aiohttpCWE-444 7.5 -2026-01-05
CVE-2025-69226 AIOHTTP allows for a brute-force leak of internal static filepath components — aiohttpCWE-22 5.3 -2026-01-05
CVE-2025-69224 AIOHTTP's Unicode processing of header values could cause parsing discrepancies — aiohttpCWE-444 7.5 -2026-01-05
CVE-2025-69223 AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb — aiohttpCWE-409 7.5 High2026-01-05
CVE-2025-62611 aiomysql allows arbitrary access to client files through vulnerability of a malicious MySQL server — aiomysqlCWE-73 7.5AIHighAI2025-10-22
CVE-2025-53643 AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections — aiohttpCWE-444 9.8 -2025-07-14
CVE-2025-48945 pycares has a Use-After-Free Vulnerability — aiodnsCWE-416 7.5AIHighAI2025-06-20
CVE-2024-52304 aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions — aiohttpCWE-444 7.5 -2024-11-18
CVE-2024-52303 aiohttp memory leak when middleware is enabled when requesting a resource with a non-allowed method — aiohttpCWE-772 5.9 -2024-11-18
CVE-2024-42367 In aiohttp, compressed files as symlinks are not protected from path traversal — aiohttpCWE-61 4.8 Medium2024-08-09
CVE-2024-34083 STARTTLS unencrypted commands injection — aiosmtpdCWE-349 5.4 Medium2024-05-18
CVE-2024-30251 Denial of service when trying to parse malformed POST requests in aiohttp — aiohttpCWE-835 7.5 High2024-05-02
CVE-2024-27306 aiohttp vulnerable to XSS on index pages for static file handling — aiohttpCWE-79 6.1 Medium2024-04-18
CVE-2024-27305 SMTP smuggling in aiosmtpd — aiosmtpdCWE-345 5.3 Medium2024-03-12
CVE-2024-23334 aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal — aiohttpCWE-22 5.9 Medium2024-01-29
CVE-2024-23829 aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators — aiohttpCWE-444 6.5 Medium2024-01-29

This page lists every published CVE security advisory associated with aio-libs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.