CVE-2026-34525
ADVISORY - githubSummary
Summary
Multiple Host headers were allowed in aiohttp.
Impact
Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain().
Patch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349 Patch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000
Common Weakness Enumeration (CWE)
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
NIST
CVSS SCORE
6.3mediumGitHub
CVSS SCORE
6.3mediumAlpine
-
Debian
-
Ubuntu
3.9
CVSS SCORE
5.3mediumRed Hat
2.2
CVSS SCORE
5.4mediumChainguard
CGA-3qvr-m27f-v5v7
-
minimos
MINI-3xgj-6gp2-57v4
-
minimos
MINI-47w8-3wfh-2mxc
-
minimos
MINI-74pv-fwg3-g28v
-
minimos
MINI-9jww-8rw9-4ph6
-
minimos
MINI-hf7g-fx53-jxgg
-
minimos
MINI-pjmx-c8wm-hm76
-
minimos
MINI-r9xh-rj28-6gvc
-