| Package | Installed | Affected | Info |
|---|---|---|---|
| aiohttp | 3.10.10 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to unbounded decompression of highly compressed HTTP request bodies when the HTTP parser auto_decompress feature is enabled. |
| aiohttp | 3.10.10 | <3.12.14 |
show AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. |
| aiohttp | 3.10.10 | >=3.10.6rc0,<3.10.11 , >=3.11.0b0,<3.11.0 |
show Affected versions of aiohttp are vulnerable to Middleware Cache Pollution. This vulnerability allows attackers to potentially interfere with middleware handling by exploiting cached middleware associated with system routes. The impact includes possible bypassing of security middleware or unintended access to internal routes. The attack vector involves crafting requests that target system routes, causing the middleware cache to store and reuse inappropriate middleware configurations. The vulnerable methods are _build_middlewares and the middleware caching mechanism in web_app.py. To mitigate, upgrade to aiohttp version, which prevents system routes from polluting the middleware cache by excluding SystemRoute instances from caching. |
| aiohttp | 3.10.10 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to inconsistent Unicode processing of non-ASCII HTTP header values. In the pure-Python HTTP parser (used when the C extensions are not installed or when AIOHTTP_NO_EXTENSIONS is enabled), aiohttp.http_parser.parse_headers() and helpers such as _is_supported_upgrade() and HttpParser._is_chunked_te() apply .lower() to Upgrade, Transfer-Encoding, and Content-Encoding values without first enforcing ASCII-only input, allowing certain non-ASCII characters to be transformed during case-folding and creating parsing discrepancies. |
| aiohttp | 3.10.10 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Request Smuggling due to Unicode digit matching in the Range header parser. In aiohttp.web_request.BaseRequest.http_range, the Range header is parsed with the regular expression ^bytes=(\d*)-(\d*)$ via re.findall(...) without restricting \d to ASCII, which allows non-ASCII decimal characters to be accepted as valid byte-range values. |
| aiohttp | 3.10.10 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Information Disclosure due to static-file path normalisation enabling inference of absolute path component existence. In aiohttp, applications that register a static route via aiohttp.web.static() may expose filesystem path information because the static handler’s normalization and response behaviour lets a requester distinguish which absolute path components exist. |
| aiohttp | 3.10.10 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to relying on Python assert statements for malformed request handling, which are removed when interpreter optimizations are enabled. The aiohttp.web_request.Request.post() method can trigger an infinite loop in multipart POST body processing because assertions in multipart parsing paths, such as aiohttp.multipart.BodyPartReader.read_chunk() and _read_chunk_from_stream() are bypassed, preventing the code from enforcing an exit condition on invalid EOF and boundary states. |
| aiohttp | 3.10.10 | >=2.0.0rc1,<3.10.11 |
show Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks. |
| aiohttp | 3.10.10 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to improper enforcement of request size limits during multipart form parsing. The aiohttp aiohttp.web_request.Request.post() method in aiohttp/web_request.py iterates over multipart fields but (prior to the fix) resets its running byte counter per part rather than tracking the total size of the entire multipart form, allowing the aggregate payload to grow without being bounded by client_max_size. |
| aiohttp | 3.10.10 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive blocking CPU usage when processing a large number of HTTP chunked messages. When an aiohttp server endpoint calls request.read(), the chunked body handling performs costly per-chunk processing that can consume a moderate amount of blocking CPU time (for example, around one second) when the request contains an unusually large number of chunks. |
| aiohttp | 3.10.10 | <3.13.3 |
show Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive warning-level logging when parsing invalid Cookie headers. When server code accesses aiohttp.web_request.Request.cookies, the aiohttp._cookie_helpers.parse_cookie_header() function validates cookie names and can emit a log entry for each illegal cookie name, enabling a single request to generate a large number of warning logs. |
https://pyup.io/repos/github/vertexproject/vtx-base-image/python-3-shield.svg
[](https://pyup.io/repos/github/vertexproject/vtx-base-image/)
.. image:: https://pyup.io/repos/github/vertexproject/vtx-base-image/python-3-shield.svg
:target: https://pyup.io/repos/github/vertexproject/vtx-base-image/
:alt: Python 3
<a href="https://pyup.io/repos/github/vertexproject/vtx-base-image/"><img src="https://pyup.io/repos/github/vertexproject/vtx-base-image/shield.svg" alt="Python 3" /></a>
!https://pyup.io/repos/github/vertexproject/vtx-base-image/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/vertexproject/vtx-base-image/
{<img src="https://pyup.io/repos/github/vertexproject/vtx-base-image/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/vertexproject/vtx-base-image/]
https://pyup.io/repos/github/vertexproject/vtx-base-image/shield.svg
[](https://pyup.io/repos/github/vertexproject/vtx-base-image/)
.. image:: https://pyup.io/repos/github/vertexproject/vtx-base-image/shield.svg
:target: https://pyup.io/repos/github/vertexproject/vtx-base-image/
:alt: Updates
<a href="https://pyup.io/repos/github/vertexproject/vtx-base-image/"><img src="https://pyup.io/repos/github/vertexproject/vtx-base-image/shield.svg" alt="Updates" /></a>
!https://pyup.io/repos/github/vertexproject/vtx-base-image/shield.svg(Updates)!:https://pyup.io/repos/github/vertexproject/vtx-base-image/
{<img src="https://pyup.io/repos/github/vertexproject/vtx-base-image/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/vertexproject/vtx-base-image/]