HTTP Request Smuggling Affecting aiohttp package, versions [,3.13.4)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-AIOHTTP-15873733
- published2 Apr 2026
- disclosed1 Apr 2026
- credit5yu4n
Introduced: 1 Apr 2026
NewCVE-2026-34525 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade aiohttp to version 3.13.4 or higher.
Overview
Affected versions of this package are vulnerable to HTTP Request Smuggling via the processing of duplicate Host headers. An attacker can bypass security checks enforced by a reverse proxy by sending requests with multiple Host headers, potentially causing the proxy and the backend to interpret different host values and allowing unauthorized access to privileged sub-applications.
Note:
This is only exploitable if a reverse proxy applies security rules based on the Host header and the backend uses domain-based routing.