Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.
Published: 2026-04-01
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Header Manipulation leading to request misrouting
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in aiohttp allows an attacker to send HTTP requests containing multiple Host headers. The server accepts and processes all header instances rather than rejecting duplicates, creating ambiguity in request handling. This weakness, identified as CWE-20 (Improper Input Validation) and CWE-444 (URL Filtering Weaknesses), can enable an attacker to manipulate the perceived target host of a request, potentially resulting in request smuggling, service degradation, or unintended data disclosure.

Affected Systems

This flaw exists in the aio-libs aiohttp asynchronous HTTP framework. Any installation running a version earlier than 3.13.4 is affected. The official fix is provided in the aiohttp release 3.13.4, so systems using older releases should be patched to that version or newer.

Risk and Exploitability

With a CVSS score of 6.3 the vulnerability is considered moderate in severity. The EPSS score is not reported and the flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, so there is no confirmed exploitation data. However, the attack vector is network based; an adversary only needs the ability to send a specially crafted HTTP request to a reachable aiohttp service, which makes exploitation reasonably likely for publicly exposed instances. The lack of privileged requirements further raises the practical risk for affected environments.

Generated by OpenCVE AI on April 2, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to version 3.13.4 or later.
  • Confirm that the server configuration rejects duplicate Host headers or enforces strict header parsing.
  • Monitor inbound HTTP traffic for suspicious duplicate Host header patterns as a potential probing indicator.
  • If an upgrade cannot occur immediately, use a reverse proxy or firewall rule to strip or block requests containing multiple Host headers.

Generated by OpenCVE AI on April 2, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c427-h43c-vf67 AIOHTTP accepts duplicate Host headers
History

Thu, 16 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Aiohttp
Aiohttp aiohttp
CPEs cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Vendors & Products Aiohttp
Aiohttp aiohttp
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.
Title AIOHTTP: Duplicate Host header accepted
Weaknesses CWE-20
CWE-444
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Aio-libs Aiohttp
Aiohttp Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:24:11.311Z

Reserved: 2026-03-30T16:03:31.048Z

Link: CVE-2026-34525

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:17:00.490

Modified: 2026-04-16T16:21:56.790

Link: CVE-2026-34525

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-01T20:28:46Z

Links: CVE-2026-34525 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:16:38Z

Weaknesses