Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
Published: 2026-04-01
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Header Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from insufficient sanitization of the content_type parameter when aiohttp constructs multipart part content type headers. An attacker who can control this value can inject CRLF sequences, enabling the addition of arbitrary HTTP headers to the response. This header injection could alter response behavior or support further attacks, though it does not grant direct code execution. The weakness aligns with CWE‑113 and CWE‑93, which describe header injection and the use of untrusted data in render contexts.

Affected Systems

The affected product is aio-libs aiohttp. All releases before version 3.13.4 contain the flaw; upgrading to 3.13.4 or a newer release fixes the issue.

Risk and Exploitability

The CVSS score of 2.7 indicates low severity, and the vulnerability is not listed in the KEV catalog. EPSS data is unavailable, suggesting limited widespread exploitation. The likely attack vector is remote: an adversary who can supply or influence the content_type parameter in multipart requests can exploit the flaw. Successful exploitation requires such control; otherwise the risk remains low but non‑negligible.

Generated by OpenCVE AI on April 2, 2026 at 02:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to version 3.13.4 or later.
  • Check that all dependent packages are updated to compatible, non‑vulnerable versions.
  • If an upgrade cannot be performed immediately, restrict or sanitize external clients from setting the content_type parameter and validate or encode the value before use.

Generated by OpenCVE AI on April 2, 2026 at 02:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2vrm-gr82-f7m5 AIOHTTP has CRLF injection through multipart part content type header construction
History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Aiohttp
Aiohttp aiohttp
CPEs cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Vendors & Products Aiohttp
Aiohttp aiohttp

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-93
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Moderate

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
Title AIOHTTP: CRLF injection in multipart part content type header construction
Weaknesses CWE-113
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Aio-libs Aiohttp
Aiohttp Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T14:07:17.671Z

Reserved: 2026-03-30T16:03:31.047Z

Link: CVE-2026-34514

cve-icon Vulnrichment

Updated: 2026-04-02T14:07:14.182Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:16:59.417

Modified: 2026-04-15T14:13:42.230

Link: CVE-2026-34514

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-01T20:09:50Z

Links: CVE-2026-34514 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:16:44Z

Weaknesses