CVE-2026-34525

ADVISORY - github

Summary

Summary

Multiple Host headers were allowed in aiohttp.

Impact

Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain().


Patch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349 Patch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000

EPSS Score: 0.00288 (0.206)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Improper Input Validation

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

ADVISORY - github

Improper Input Validation

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

ADVISORY - redhat

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')


NIST

CREATED

UPDATED

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

6.3medium

GitHub

CREATED

UPDATED

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

6.3medium

Alpine

CREATED

UPDATED

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Debian

CREATED

UPDATED

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

UPDATED

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

5.3medium

Red Hat

CREATED

UPDATED

EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

5.4medium

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-3qvr-m27f-v5v7

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-3xgj-6gp2-57v4

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-47w8-3wfh-2mxc

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-74pv-fwg3-g28v

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-9jww-8rw9-4ph6

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-hf7g-fx53-jxgg

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-pjmx-c8wm-hm76

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-r9xh-rj28-6gvc

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY