Sign In

CVE-2026-34525

ADVISORY - github

Summary

Summary

Multiple Host headers were allowed in aiohttp.

Impact

Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain().

Patch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349 Patch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000

EPSS Score: 0.00085 (0.248)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-20

Improper Input Validation

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

ADVISORY - github

CWE-20

Improper Input Validation

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

ADVISORY - redhat

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in