Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.
Published: 2026-06-02
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AIOHTTP, an asynchronous HTTP client/server framework for Python, contains a flaw in the CookieJar.load() function that may deserialize untrusted data. In versions prior to 3.14.0, this deserialization can execute arbitrary code, falling under CWE‑502. When a malicious file is loaded, the attacker can run code in the context of the application, potentially compromising confidentiality, integrity and availability of the affected service.

Affected Systems

The vulnerability affects the aio-libs aiohttp package for all releases before 3.14.0. Applications that invoke CookieJar.load() with data that could be supplied by a user, such as uploaded files or user‑controlled configuration, are at risk. In many deployments, CookieJar.load() is only used with the application's own data, which reduces exposure, but if the application accepts external inputs it becomes exploitable.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that an attacker who can provide a crafted file to CookieJar.load() can trigger arbitrary code execution; if the application accepts remote uploads, the vector becomes remote. Consequently, the risk remains significant for affected deployments, especially those that process user‑supplied files.

Generated by OpenCVE AI on June 3, 2026 at 03:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to version 3.14.0 or later
  • If upgrading is not immediately possible, sanitize all files before passing them to CookieJar.load()
  • Review your codebase to ensure CookieJar.load() is only used with trusted input and restrict file uploads to trusted sources

Generated by OpenCVE AI on June 3, 2026 at 03:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.
Title AIOHTTP Vulnerable to Deserialization of Untrusted Data
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T18:29:15.847Z

Reserved: 2026-03-31T19:38:31.618Z

Link: CVE-2026-34993

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:34.857

Modified: 2026-06-02T20:16:34.857

Link: CVE-2026-34993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:00:13Z

Weaknesses