Fluid Attacks Database

Description

AIOHTTP accepts duplicate Host headers

Summary

Multiple Host headers were allowed in aiohttp.

Impact

Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain().

Patch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349 Patch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	aiohttp	>=0 <3.13.4	3.13.4
debian 13	python-aiohttp	=3.11.16-1 \|\| =3.11.16-1+deb13u1 \|\| =3.12.15-1 \|\| =3.13.0-1 \|\| =3.13.1-1 \|\| =3.13.3-1 \|\| =3.13.3-2 \|\| =3.13.3-3 \|\| =3.13.5-1	-
debian 14	python-aiohttp	=3.11.16-1 \|\| =3.12.15-1 \|\| =3.13.0-1 \|\| =3.13.1-1 \|\| =3.13.3-1 \|\| =3.13.3-2 \|\| =3.13.3-3 \|\| >=0 <3.13.5-1	3.13.5-1
debian 11	python-aiohttp	=3.7.4-1 \|\| =3.7.4-1+deb11u1 \|\| >=0 <3.7.4-1+deb11u2	3.7.4-1+deb11u2
debian 12	python-aiohttp	=3.10.0-1 \|\| =3.10.1-1 \|\| =3.10.10-1 \|\| =3.10.10-2 \|\| =3.10.11-1 \|\| =3.10.3-1 \|\| =3.10.3-2 \|\| =3.10.3-3 \|\| =3.10.4-1 \|\| =3.10.5-1 \|\| =3.10.6-1 \|\| =3.10.8-1 \|\| =3.11.15-1 \|\| =3.11.16-1 \|\| =3.12.15-1 \|\| =3.13.0-1 \|\| =3.13.1-1 \|\| =3.13.3-1 \|\| =3.13.3-2 \|\| =3.13.3-3 \|\| =3.13.5-1 \|\| =3.8.4-1 \|\| =3.8.4-1+deb12u1 \|\| =3.8.5-1 \|\| =3.8.6-1 \|\| =3.9.1-1 \|\| =3.9.5-1	-

Aliases

1. CVE-2026-345252. NVD-2026-345253. OSV-2026-345254. OSV-DEBIAN-2026-345255. GHSA-c427-h43c-vf676. GCVE-2026-345257. SECURITY-TRACKER-CVE-2026-34525

References

1. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf672. https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b30003. https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed83494. https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.