Multiple Host headers were allowed in aiohttp.
Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain().
Patch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349
Patch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000
| Score | Percentile |
|---|---|
| 0.12% | 30.90% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-c427-h43c-vf67 ↗ |
| CVE | CVE-2026-34525 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | aiohttp | <= 3.13.3 | 3.13.4 | — |