aiohttp 3.14.0

Direct Vulnerabilities

Known vulnerabilities in the aiohttp package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Allocation of Resources Without Limits or Throttling Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the handling of HTTP/1 pipelined requests queue without a limit. An attacker can exhaust system memory by sending a large number of pipelined requests, potentially causing service disruption. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `aiohttp` to version 3.14.1 or higher.	[,3.14.1)
M Improper Resource Shutdown or Release Affected versions of this package are vulnerable to Improper Resource Shutdown or Release in the payload response resources when a client disconnects during a write operation. An attacker can cause temporary resource exhaustion by repeatedly initiating connections and disconnecting mid-transfer, leading to open files or similar resources not being released until garbage collection occurs. How to fix Improper Resource Shutdown or Release? Upgrade `aiohttp` to version 3.14.1 or higher.	[,3.14.1)
H Improper Handling of Highly Compressed Data (Data Amplification) Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) during cleanup. An attacker can exhaust system memory by sending a specially crafted compressed payload that is decompressed into memory in a single chunk. How to fix Improper Handling of Highly Compressed Data (Data Amplification)? Upgrade `aiohttp` to version 3.14.1 or higher.	[,3.14.1)
H Allocation of Resources Without Limits or Throttling Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the `C HTTP parser` when the `max_line_size` check is bypassed for fragmented lines. An attacker can cause excessive memory consumption by sending oversized HTTP request lines, potentially resulting in resource exhaustion and service disruption. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `aiohttp` to version 3.14.1 or higher.	[,3.14.1)
M Improper Validation of Certificate with Host Mismatch Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch in the `server_hostname` parameter handling during HTTPS connection reuse. An attacker can bypass intended TLS SNI checks by reusing an existing connection with a different `server_hostname`, potentially allowing connections to unintended hosts. How to fix Improper Validation of Certificate with Host Mismatch? Upgrade `aiohttp` to version 3.14.1 or higher.	[,3.14.1)
M Exposure of Private Personal Information to an Unauthorized Actor Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor in the `CookieJar.save` and `CookieJar.load` functions. An attacker can cause cookies intended for a specific host to be sent to subdomains by persisting and restoring cookies, potentially leading to unintended information disclosure. How to fix Exposure of Private Personal Information to an Unauthorized Actor? Upgrade `aiohttp` to version 3.14.1 or higher.	[,3.14.1)
M Insufficiently Protected Credentials Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the `DigestAuthMiddleware` class when authentication responses are sent after following cross-origin redirects. An attacker can obtain authentication digests by leveraging an open redirect or similar issue to redirect a client to an attacker-controlled domain. Note: This is only exploitable if the client follows redirects to attacker-controlled domains. How to fix Insufficiently Protected Credentials? Upgrade `aiohttp` to version 3.14.1 or higher.	[,3.14.1)
H Allocation of Resources Without Limits or Throttling Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `websocket` checks. An attacker can exhaust system memory by sending large incomplete frame payloads, potentially leading to service disruption. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `aiohttp` to version 3.14.1 or higher.	[,3.14.1)

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the handling of HTTP/1 pipelined requests queue without a limit. An attacker can exhaust system memory by sending a large number of pipelined requests, potentially causing service disruption.

How to fix Allocation of Resources Without Limits or Throttling?