SB2026060921 - Multiple vulnerabilities in aiohttp

Security Bulletin ID SB2026060921

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 8

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 8 vulnerabilities.

1) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in websocket frame payload handling when processing large incomplete websocket frame payloads. A remote attacker can send large incomplete websocket frame payloads to cause a denial of service.

The issue can bypass the usual size limits on memory use.

2) Improper Certificate Validation (CVE-ID: N/A)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass TLS hostname verification.

The vulnerability exists due to improper certificate validation in HTTPS connection reuse when reusing an existing connection for later requests with different per-request server_hostname parameters. A remote attacker can cause connection reuse to bypass TLS hostname verification.

3) Improper Resource Shutdown or Release (CVE-ID: N/A)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause resource starvation.

The vulnerability exists due to improper resource shutdown in payload response handling when a client disconnects in the middle of a write. A remote attacker can disconnect during a response body write to cause resource starvation.

The issue can temporarily exhaust open files or similar limited resources until garbage collection or similar cleanup occurs.

4) Allocation of Resources Without Limits or Throttling (CVE-ID: N/A)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in the HTTP/1 pipelined requests queue when handling pipelined requests. A remote attacker can send many pipelined requests to cause a denial of service.

5) Resource exhaustion (CVE-ID: N/A)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of compressed request bodies in request body cleanup when processing a compressed request body during cleanup. A remote attacker can send a specially crafted compressed payload to cause a denial of service.

This is a zip bomb edge case.

6) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the C HTTP parser when processing fragmented HTTP request lines. A remote attacker can send specially crafted oversized fragmented lines to cause a denial of service.

Only deployments using the optimized C parser are affected.

7) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in DigestAuthMiddleware when following a cross-origin redirect and handling an authentication challenge. A remote attacker can cause the client to follow a redirect to an attacker-controlled domain to disclose sensitive information.

Exploitation likely requires an open redirect or similar condition on the target domain, and the exposed digest may only enable credential recovery when weak cryptography or password reuse is involved.

8) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause cookies intended for a single host to be sent to subdomains.

The vulnerability exists due to improper cookie scope handling in CookieJar persistence when saving and restoring host-only cookies with CookieJar.save() and CookieJar.load(). A remote attacker can cause a restored host-only cookie to be treated as a domain cookie to cause cookies intended for a single host to be sent to subdomains.

The issue occurs after cookies are persisted to disk and later reloaded.

Remediation

Install update from vendor's website.

SB2026060921 - Multiple vulnerabilities in aiohttp

Breakdown by Severity

Description

Remediation

References

Please verify you're human