OESA-2026-2194
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2194
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2026-2194.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2026-2194
- Upstream
- Published
- 2026-05-03T09:58:07Z
- Modified
- 2026-05-03T10:20:07.308705Z
- Summary
- python-aiohttp security update
- Details
-
Async http client/server framework (asyncio).
Security Fix(es):
Insufficient restrictions in header/trailer handling could cause uncapped memory usage.(CVE-2026-22815)
An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.(CVE-2026-34513)
An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits.(CVE-2026-34514)
A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.(CVE-2026-34516)
For some multipart form fields, aiohttp read the entire field into memory before checking clientmaxsize.(CVE-2026-34517)
When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.(CVE-2026-34518)
aiohttp is vulnerable to HTTP response splitting attacks. An attacker can insert carriage return (\r) characters in the reason phrase to craft malicious responses, leading to response splitting attacks. This vulnerability affects aiohttp versions up to and including 3.13.3.(CVE-2026-34519)
The llhttp parser in aiohttp accepts null bytes and control characters in response header values, which could allow attackers to perform HTTP header injection attacks and bypass security restrictions.(CVE-2026-34520)
aiohttp is a Python asynchronous HTTP client/server framework. In version 3.13.3 and earlier, there is a security vulnerability that allows accepting duplicate Host headers, which may lead to HTTP request smuggling attacks. Attackers could exploit this vulnerability to bypass security controls or perform man-in-the-middle attacks.(CVE-2026-34525)
- Database specific
{ "severity": "Medium" }- References
-
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2194
- https://nvd.nist.gov/vuln/detail/CVE-2026-22815
- https://nvd.nist.gov/vuln/detail/CVE-2026-34513
- https://nvd.nist.gov/vuln/detail/CVE-2026-34514
- https://nvd.nist.gov/vuln/detail/CVE-2026-34516
- https://nvd.nist.gov/vuln/detail/CVE-2026-34517
- https://nvd.nist.gov/vuln/detail/CVE-2026-34518
- https://nvd.nist.gov/vuln/detail/CVE-2026-34519
- https://nvd.nist.gov/vuln/detail/CVE-2026-34520
- https://nvd.nist.gov/vuln/detail/CVE-2026-34525
Affected packages
openEuler:24.03-LTS / python-aiohttp
Package
- Name
- python-aiohttp
- Purl
- pkg:rpm/openEuler/python-aiohttp&distro=openEuler-24.03-LTS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.13.5-1.oe2403
Ecosystem specific
{
"src": [
"python-aiohttp-3.13.5-1.oe2403.src.rpm"
],
"aarch64": [
"python-aiohttp-debuginfo-3.13.5-1.oe2403.aarch64.rpm",
"python-aiohttp-debugsource-3.13.5-1.oe2403.aarch64.rpm",
"python-aiohttp-help-3.13.5-1.oe2403.aarch64.rpm",
"python3-aiohttp-3.13.5-1.oe2403.aarch64.rpm"
],
"x86_64": [
"python-aiohttp-debuginfo-3.13.5-1.oe2403.x86_64.rpm",
"python-aiohttp-debugsource-3.13.5-1.oe2403.x86_64.rpm",
"python-aiohttp-help-3.13.5-1.oe2403.x86_64.rpm",
"python3-aiohttp-3.13.5-1.oe2403.x86_64.rpm"
]
}