Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
Published: 2026-04-01
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: HTTP response header injection via reason parameter
Action: Patch
AI Analysis

Impact

AIOHTTP allows users to specify the reason phrase of an HTTP response. An attacker who can control this value can embed a carriage return character, causing the server to split the response and inject additional headers. This attack can manipulate downstream client behavior or redirect traffic, but does not provide direct code execution or system compromise. The weakness aligns with HTTP response splitting (CWE‑113) and improper taint checking (CWE‑1286).

Affected Systems

The vulnerability affects the aio-libs aiohttp asynchronous HTTP framework for Python, versions prior to 3.13.4. Any deployment using these older releases and constructing custom Response objects with user-supplied reason strings is susceptible.

Risk and Exploitability

The official CVSS score is 2.7, indicating low severity, and no EPSS score is published. It is not listed in CISA’s KEV catalog. Exploitation requires control over the reason parameter, which typically means the attacker must be able to influence the code that creates the Response object. Once the parameter is controlled, the attack can be performed over the network if the server exposes the vulnerable endpoint.

Generated by OpenCVE AI on April 2, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to aiohttp 3.13.4 or later
  • If upgrading is not immediately possible, validate or sanitize the reason string to remove CR and LF characters

Generated by OpenCVE AI on April 2, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mwh4-6h8g-pg8w AIOHTTP has HTTP response splitting via \r in reason phrase
History

Thu, 16 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Aiohttp
Aiohttp aiohttp
CPEs cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Vendors & Products Aiohttp
Aiohttp aiohttp

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Moderate

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
Title AIOHTTP: HTTP response splitting via \r in reason phrase
Weaknesses CWE-113
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Aio-libs Aiohttp
Aiohttp Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:40:13.945Z

Reserved: 2026-03-30T16:03:31.047Z

Link: CVE-2026-34519

cve-icon Vulnrichment

Updated: 2026-04-02T15:40:10.158Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:17:00.170

Modified: 2026-04-16T16:28:04.757

Link: CVE-2026-34519

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-01T20:26:25Z

Links: CVE-2026-34519 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:16:39Z

Weaknesses