chore(deps): update dependency aiohttp to v3.13.3 [security] #1366
+3
−3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==3.12.14→==3.13.3AIOHTTP vulnerable to denial of service through large payloads
CVE-2025-69228 / GHSA-6jhg-hg63-jvvf
More information
Details
Summary
A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.
Impact
If an application includes a handler that uses the
Request.post()method, an attacker may be able to freeze the server by exhausting the memory.Patch: aio-libs/aiohttp@b7dbd35
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
CVE-2025-69223 / GHSA-6mq8-rvhq-8wgg
More information
Details
Summary
A zip bomb can be used to execute a DoS against the aiohttp server.
Impact
An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.
Patch: aio-libs/aiohttp@2b920c3
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP's unicode processing of header values could cause parsing discrepancies
CVE-2025-69224 / GHSA-69f9-5gxw-wvc2
More information
Details
Summary
The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.
Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.
Patch: aio-libs/aiohttp@32677f2
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP vulnerable to DoS through chunked messages
CVE-2025-69229 / GHSA-g84x-mcqj-x9qq
More information
Details
Summary
Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.
Impact
If an application makes use of the
request.read()method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.Patch: aio-libs/aiohttp@dc3170b
Patch: aio-libs/aiohttp@4ed97a4
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP vulnerable to brute-force leak of internal static file path components
CVE-2025-69226 / GHSA-54jq-c3m8-4m76
More information
Details
Summary
Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the
existence of absolute path components.
Impact
If an application uses
web.static()(not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.Patch: aio-libs/aiohttp@f2a86fd
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
CVE-2025-69225 / GHSA-mqqc-3gqh-h2x8
More information
Details
Summary
The parser allows non-ASCII decimals to be present in the Range header.
Impact
There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.
Patch: aio-libs/aiohttp@c7b7a04
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP vulnerable to DoS when bypassing asserts
CVE-2025-69227 / GHSA-jj3x-wxrx-4x23
More information
Details
Summary
When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.
Impact
If optimisations are enabled (
-OorPYTHONOPTIMIZE=1), and the application includes a handler that uses theRequest.post()method, then an attacker may be able to execute a DoS attack with a specially crafted message.Patch: aio-libs/aiohttp@bc1319e
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP Vulnerable to Cookie Parser Warning Storm
CVE-2025-69230 / GHSA-fh55-r93g-j68g
More information
Details
Summary
Reading multiple invalid cookies can lead to a logging storm.
Impact
If the
cookiesattribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.Patch: aio-libs/aiohttp@64629a0
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
aio-libs/aiohttp (aiohttp)
v3.13.3Compare Source
===================
This release contains fixes for several vulnerabilities. It is advised to
upgrade as soon as possible.
Bug fixes
Fixed proxy authorization headers not being passed when reusing a connection, which caused 407 (Proxy authentication required) errors
-- by :user:
GLeurquin.Related issues and pull requests on GitHub:
:issue:
2596.Fixed multipart reading failing when encountering an empty body part -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
11857.Fixed a case where the parser wasn't raising an exception for a websocket continuation frame when there was no initial frame in context.
Related issues and pull requests on GitHub:
:issue:
11862.Removals and backward incompatible breaking changes
Brotliandbrotlicffiminimum version is now 1.2.Decompression now has a default maximum output size of 32MiB per decompress call -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
11898.Packaging updates and notes for downstreams
Moved dependency metadata from :file:
setup.cfgto :file:pyproject.tomlper :pep:621-- by :user:
cdce8p.Related issues and pull requests on GitHub:
:issue:
11643.Contributor-facing changes
Removed unused
update-pre-commitgithub action workflow -- by :user:Cycloctane.Related issues and pull requests on GitHub:
:issue:
11689.Miscellaneous internal changes
Optimized web server performance when access logging is disabled by reducing time syscalls -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10713.Added regression test for cached logging status -- by :user:
meehand.Related issues and pull requests on GitHub:
:issue:
11778.v3.13.2: 3.13.2Compare Source
Bug fixes
Fixed cookie parser to continue parsing subsequent cookies when encountering a malformed cookie that fails regex validation, such as Google's
g_statecookie with unescaped quotes -- by :user:bdraco.Related issues and pull requests on GitHub:
#11632.
Fixed loading netrc credentials from the default :file:
~/.netrc(:file:~/_netrcon Windows) location when the :envvar:NETRCenvironment variable is not set -- by :user:bdraco.Related issues and pull requests on GitHub:
#11713, #11714.
Fixed WebSocket compressed sends to be cancellation safe. Tasks are now shielded during compression to prevent compressor state corruption. This ensures that the stateful compressor remains consistent even when send operations are cancelled -- by :user:
bdraco.Related issues and pull requests on GitHub:
#11725.
v3.13.1Compare Source
===================
Features
Make configuration options in
AppRunneralso available inrun_app()-- by :user:
Cycloctane.Related issues and pull requests on GitHub:
:issue:
11633.Bug fixes
Switched to
backports.zstdfor Python <3.14 and fixed zstd decompression for chunked zstd streams -- by :user:ZhaoMJ.Note: Users who installed
zstandardfor support on Python <3.14 will now need to installbackports.zstdinstead (installingaiohttp[speedups]will do this automatically).Related issues and pull requests on GitHub:
:issue:
11623.Updated
Content-Typeheader parsing to returnapplication/octet-streamwhen header contains invalid syntax.See :rfc:
9110#section-8.3-5.-- by :user:
sgaist.Related issues and pull requests on GitHub:
:issue:
10889.Fixed Python 3.14 support when built without
zstdsupport -- by :user:JacobHenner.Related issues and pull requests on GitHub:
:issue:
11603.Fixed blocking I/O in the event loop when using netrc authentication by moving netrc file lookup to an executor -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
11634.Fixed routing to a sub-application added via
.add_domain()not workingif the same path exists on the parent app. -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
11673.Packaging updates and notes for downstreams
Moved core packaging metadata from :file:
setup.cfgto :file:pyproject.tomlper :pep:621-- by :user:
cdce8p.Related issues and pull requests on GitHub:
:issue:
9951.v3.13.0Compare Source
===================
Features
Added support for Python 3.14.
Related issues and pull requests on GitHub:
:issue:
10851, :issue:10872.Added support for free-threading in Python 3.14+ -- by :user:
kumaraditya303.Related issues and pull requests on GitHub:
:issue:
11466, :issue:11464.Added support for Zstandard (aka Zstd) compression
-- by :user:
KGuillaume-chaps.Related issues and pull requests on GitHub:
:issue:
11161.Added
StreamReader.total_raw_bytesto check the number of bytes downloaded-- by :user:
robpats.Related issues and pull requests on GitHub:
:issue:
11483.Bug fixes
Fixed pytest plugin to not use deprecated :py:mod:
asynciopolicy APIs.Related issues and pull requests on GitHub:
:issue:
10851.Updated
Content-Dispositionheader parsing to handle trailing semicolons and empty parts-- by :user:
PLPeeters.Related issues and pull requests on GitHub:
:issue:
11243.Fixed saved
CookieJarfailing to be loaded if cookies havepartitionedflag whenhttp.cookiedoes not have partitioned cookies supports. -- by :user:Cycloctane.Related issues and pull requests on GitHub:
:issue:
11523.Improved documentation
Added
Wireupto third-party libraries -- by :user:maldoinc.Related issues and pull requests on GitHub:
:issue:
11233.Packaging updates and notes for downstreams
The
blockbustertest dependency is now optional; the corresponding test fixture is disabled when it is unavailable-- by :user:
musicinybrain.Related issues and pull requests on GitHub:
:issue:
11363.Added
riscv64build to releases -- by :user:eshattow.Related issues and pull requests on GitHub:
:issue:
11425.Contributor-facing changes
Fixed
test_send_compress_textfailing when alternative zlib implementationis used. (
zlib-ngin python 3.14 windows build) -- by :user:Cycloctane.Related issues and pull requests on GitHub:
:issue:
11546.v3.12.15Compare Source
====================
Bug fixes
Fixed :class:
~aiohttp.DigestAuthMiddlewareto preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expectingalgorithm=MD5-sessinstead ofalgorithm=MD5-SESS)-- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
11352.Improved documentation
Remove outdated contents of
aiohttp-devtoolsandaiohttp-swaggerfrom Web_advanced docs.
-- by :user:
CycloctaneRelated issues and pull requests on GitHub:
:issue:
11347.Packaging updates and notes for downstreams
Started including the
llhttp:file:LICENSEfile in wheels by addingvendor/llhttp/LICENSEtolicense-filesin :file:setup.cfg-- by :user:threexc.Related issues and pull requests on GitHub:
:issue:
11226.Contributor-facing changes
Updated a regex in
test_aiohttp_request_coroutinefor Python 3.14.Related issues and pull requests on GitHub:
:issue:
11271.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.