Update dependency aiohttp to v3.14.1 [SECURITY]#387
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
d9f0502 to
fc417ed
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
fc417ed to
0d7c8ef
Compare
renovate
Bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.13.3→3.14.1aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
CVE-2026-22815 / GHSA-w2fm-2cpv-w7v5
More information
Details
Summary
Insufficient restrictions in header/trailer handling could cause uncapped memory usage.
Impact
An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.
Patch: aio-libs/aiohttp@0c2e9da
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
CVE-2026-34513 / GHSA-hcc4-c3v8-rx92
More information
Details
Summary
An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.
Impact
If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.
Patch: aio-libs/aiohttp@c4d77c3
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has CRLF injection through multipart part content type header construction
CVE-2026-34514 / GHSA-2vrm-gr82-f7m5
More information
Details
Summary
An attacker who controls the
content_typeparameter in aiohttp could use this to inject extra headers or similar exploits.Impact
If an application allows untrusted data to be used for the multipart
content_typeparameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.Patch: aio-libs/aiohttp@9a6ada9
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
CVE-2026-34515 / GHSA-p998-jp59-783m
More information
Details
Summary
On Windows the static resource handler may expose information about a NTLMv2 remote path.
Impact
If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.
Patch: aio-libs/aiohttp@0ae2aa0
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has a Multipart Header Size Bypass
CVE-2026-34516 / GHSA-m5qp-6w8w-w647
More information
Details
Summary
A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.
Impact
Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.
Patch: aio-libs/aiohttp@8a74257
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has HTTP response splitting via \r in reason phrase
CVE-2026-34519 / GHSA-mwh4-6h8g-pg8w
More information
Details
Summary
An attacker who controls the
reasonparameter when creating aResponsemay be able to inject extra headers or similar exploits.Impact
In the unlikely situation that an application allows untrusted data to be used in the response's
reasonparameter, then an attacker could manipulate the response to send something different from what the developer intended.Patch: aio-libs/aiohttp@53b35a2
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
CVE-2026-34518 / GHSA-966j-vmvw-g2g9
More information
Details
Summary
When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.
Impact
The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.
Patch: aio-libs/aiohttp@5351c98
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
CVE-2026-34517 / GHSA-3wq7-rqq7-wx6j
More information
Details
Summary
For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.
Impact
If an application uses
Request.post()an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.Patch: aio-libs/aiohttp@cbb774f
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
CVE-2026-34520 / GHSA-63hf-3vf5-4wqf
More information
Details
Summary
The C parser (the default for most installs) accepted null bytes and control characters is response headers.
Impact
An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example,
request.url.origin()may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.Patch: aio-libs/aiohttp@9370b97
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP accepts duplicate Host headers
CVE-2026-34525 / GHSA-c427-h43c-vf67
More information
Details
Summary
Multiple Host headers were allowed in aiohttp.
Impact
Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using
Application.add_domain().Patch: aio-libs/aiohttp@e00ca3c
Patch: aio-libs/aiohttp@53e2e6f
Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
CVE-2026-34993 / GHSA-jg22-mg44-37j8
More information
Details
Summary
Using
CookieJar.load()with untrusted input may allow arbitrary code execution.Impact
Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.
Workaround
If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading.
Patch: aio-libs/aiohttp@dcf40f3
Severity
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
CVE-2026-47265 / GHSA-hg6j-4rv6-33pg
More information
Details
Summary
Cookies set with the
cookiesparameter on requests are sent after following a cross-origin redirect.Impact
If a developer uses the
cookiesparameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect.Workaround
If unable to upgrade, using a
Cookieheader in theheadersparameter is not vulnerable.Patch: aio-libs/aiohttp@f54c408
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
CVE-2026-54279 / GHSA-2fqr-mr3j-6wp8
More information
Details
Summary
Host-only cookies that are saved with
CookieJar.save()and then restored later withCookieJar.load()lose their host-only status.Impact
Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed.
Patch: aio-libs/aiohttp@a329a7a
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: CRLF injection in multipart headers
CVE-2026-50269 / GHSA-m6qw-4cw2-hm4m
More information
Details
Summary
Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar.
Impact
In the unlikely situation that an application is passing user-controlled strings into
MultipartWriter.append(headers=...)orPayload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request.Workaround
Sanitise such user input.
Patch: aio-libs/aiohttp@bf88077
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup
CVE-2026-54278 / GHSA-g3cq-j2xw-wf74
More information
Details
Summary
During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk.
Impact
An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case).
Workaround
Disable compression if unable to upgrade.
Patch: aio-libs/aiohttp@4f7480e
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines
CVE-2026-54277 / GHSA-63hw-fmq6-xxg2
More information
Details
Summary
It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser.
Impact
If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS.
Patch: aio-libs/aiohttp@5ab61bb
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect
CVE-2026-54280 / GHSA-9x8q-7h8h-wcw9
More information
Details
Summary
Payload resources are not closed correctly when a client disconnects in the middle of a write.
Impact
If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file.
Patch: aio-libs/aiohttp@a762eda
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: HTTP/1 Pipelined Requests Queue Without Limit
CVE-2026-54273 / GHSA-4fvr-rgm6-gqmc
More information
Details
Summary
No limit was present on the number of pipelined requests that could be queued.
Impact
An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS.
Patch: aio-libs/aiohttp@dfdfa9d
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: Incomplete websocket frame payloads bypass memory limits
CVE-2026-54274 / GHSA-xcgm-r5h9-7989
More information
Details
Summary
If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use.
Impact
If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive memory use.
Patch: aio-libs/aiohttp@14b6ee8
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
CVE-2026-54276 / GHSA-hpj7-wq8m-9hgp
More information
Details
Summary
DigestAuthMiddlewarecan send an authentication response after following a cross-origin redirect.Impact
If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest.
This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse.
Workaround
Disable
follow_redirectsif this is a concern.Patch: aio-libs/aiohttp@38d1606
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
CVE-2026-54275 / GHSA-4m7w-qmgq-4wj5
More information
Details
Summary
The
server_hostnameTLS SNI check can be bypassed when an existing connection is reused.Impact
If an application makes multiple requests to the same domain, but with different per-request
server_hostnameparameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check.Workaround
Disable keep_alive if you need to change the
server_hostnamecheck between requests.Patch: aio-libs/aiohttp@0ca2b6c
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
aio-libs/aiohttp (aiohttp)
v3.14.1Compare Source
===================
Bug fixes
Fixed a race condition in :py:class:
~aiohttp.TCPConnectorwhere closing the connector while a DNS resolution was in-flight could raise :py:exc:AttributeErrorinstead of :py:exc:~aiohttp.ClientConnectionError-- by :user:goingforstudying-ctrl.Related issues and pull requests on GitHub:
:issue:
12497.Fixed
CancelledErrornot closing a connection -- by :user:aiolibsbot.Related issues and pull requests on GitHub:
:issue:
12795.Tightened up some websocket parser checks -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
12817.Fixed :class:
~aiohttp.CookieJardropping the host-only flag of cookies when persisted with :meth:~aiohttp.CookieJar.saveand reloaded with :meth:~aiohttp.CookieJar.load, so a cookie set without aDomainattribute is again scoped to the exact host that set it after a reload; the absolute expiration deadline is now persisted as well, so a reloaded cookie keeps its original lifetime instead of being rescheduled from the load time. :meth:~aiohttp.CookieJar.loadnow replaces the jar contents rather than merging onto prior state, and loaded cookies pass through the same acceptance rules as :meth:~aiohttp.CookieJar.update_cookies, so a cookie for an IP-address host is dropped when loaded into a jar created withoutunsafe=True-- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12824.Scoped :class:
~aiohttp.DigestAuthMiddlewarecredentials to the origin of the first request it handles, so a redirect to a different origin no longer triggers a digest response computed from the configured credentials; a challenge from another origin is only answered when that origin falls within a protection space advertised by the anchor origin through the RFC 7616domaindirective -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12825.Fixed the C HTTP parser not enforcing
max_line_sizeon a request target or response reason phrase that is split across multiple reads; each fragment was checked on its own, so an accumulated line could exceed the limit without raisingLineTooLong. The accumulated length is now checked, matching the pure-Python parser -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12826.Changed :class:
~aiohttp.TCPConnectorto reject legacy non-canonical numeric IPv4 host forms such as2130706433,017700000001and127.1with :exc:~aiohttp.InvalidUrlClientError; only canonical dotted-quad IPv4 literals are now treated as IP address literals, while every other host is sent through the configured resolver -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12827.Fixed :meth:
~aiohttp.StreamReader.readanyand :meth:~aiohttp.StreamReader.read_nowaitjoining data fed back into the buffer during the call (when draining below the low water mark resumes reading) into a single unbounded :class:bytes; a call now returns only the chunks that were buffered when it started, keeping the drain of an unread auto-decompressed request body bounded by the read buffer -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12828.Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests buffered per connection on the server; once the queue reaches an internal limit the parser stops emitting and the transport is paused, resuming as the request handler drains the queue, so a client keeping one handler busy can no longer accumulate an unbounded backlog of pipelined requests -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
12830.Fixed :meth:
aiohttp.web.Response.write_eofskippingPayload.close()when the body write was interrupted by an error or cancellation, for example when a client disconnects mid-response; the payload close hook now runs in afinallyso a :class:~aiohttp.payload.Payloadbody always releases its resources -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12831.Fixed the pure-Python HTTP parser not enforcing
max_line_sizeon a chunk-size line when the whole line arrived in a single read; the limit was only applied to chunk-size metadata split across reads. The complete-line case is now checked too, matching the split-line behavior -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12832.Included the per-request
server_hostnameoverride in the :class:~aiohttp.TCPConnectorconnection pool key, so a pooled TLS connection is no longer reused for a request that setsserver_hostnameto a different value -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
12835.v3.14.0: 3.14.0Compare Source
We have a new website! https://aio-libs.org
Subscribe to the news feed to find out more about what we're working on in future.
Features
Added
RequestKeyandResponseKeyclasses,which enable static type checking for request & response
context storages in the same way that
AppKeydoes forApplication-- by :user:
gsoldatov.Related issues and pull requests on GitHub:
#11766.
Added :func:
~aiohttp.encode_basic_authfor encoding HTTP BasicAuthentication credentials. Replaces the now-deprecated
:class:
~aiohttp.BasicAuth-- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12499.
Started accepting :term:
asynchronous context managers <asynchronous context manager>for cleanup contexts.Legacy single-yield :term:
asynchronous generatorcleanup contexts continue to besupported; async context managers are adapted internally so they are
entered at startup and exited during cleanup.
-- by :user:
MannXo.Related issues and pull requests on GitHub:
#11681.
Added :py:attr:
~aiohttp.CookieJar.cookiesand :py:attr:~aiohttp.CookieJar.host_only_cookiesread-only properties to :py:class:~aiohttp.CookieJarexposing the stored cookies with their full attributes -- by :user:Br1an67.Related issues and pull requests on GitHub:
#3951.
Added :py:attr:
~aiohttp.web.TCPSite.portaccessor for dynamic port allocations in :class:~aiohttp.web.TCPSite-- by :user:twhittock-disguiseand :user:rodrigobnogueira.Related issues and pull requests on GitHub:
#10665.
Added
decode_textparameter to :meth:~aiohttp.ClientSession.ws_connectand :class:~aiohttp.web.WebSocketResponseto receive WebSocket TEXT messages as raw bytes instead of decoded strings, enabling direct use with high-performance JSON parsers likeorjson-- by :user:bdraco.Related issues and pull requests on GitHub:
#11763, #11764.
Large overhaul of parser/decompression code.
The zip bomb security fix in 3.13 stopped highly compressed payloads
from being decompressed, regardless of validity. Now aiohttp will
decompress such payloads in chunks of 256+ KiB, allowing safe decompression
of such payloads.
-- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#11966.
Added explicit APIs for bytes-returning JSON serializer:
JSONBytesEncodertype,JsonBytesPayload,:func:
~aiohttp.web.json_bytes_response,:meth:
~aiohttp.web.WebSocketResponse.send_json_bytesand:meth:
~aiohttp.ClientWebSocketResponse.send_json_bytesmethods, andjson_serialize_bytesparameter for :class:~aiohttp.ClientSession-- by :user:
kevinpark1217.Related issues and pull requests on GitHub:
#11989.
Added :attr:
~aiohttp.ClientResponse.output_sizeand:attr:
~aiohttp.ClientResponse.upload_complete-- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12452.
Bug fixes
Fixed
ZLibDecompressorsilently dropping data past the firstmember when decompressing concatenated gzip/deflate streams. Each subsequent
member is now handed to a fresh decompressor, matching the behaviour already
implemented for ZSTD multi-frame streams.
-- by :user:
Ashutosh-177Related issues and pull requests on GitHub:
#7157.
Improved the parser error message shown when TLS handshake bytes are received on an HTTP port -- by :user:
puneetdixit200.Related issues and pull requests on GitHub:
#10142.
Fixed the C parser failing to reject a response with a body when none was expected -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#10587.
Fixed http parser not rejecting HTTP/1.1 requests that do not have valid Host header.
-- by :user:
Cycloctane.Related issues and pull requests on GitHub:
#10600.
Fixed misleading TLS-in-TLS warning being emitted when sending HTTPS requests through an HTTP proxy. The warning now only fires when the proxy itself uses HTTPS, which is the only case where TLS-in-TLS actually applies -- by :user:
wavebyrd.Related issues and pull requests on GitHub:
#10683.
Fixed
AssertionErrorwhen the transport isNoneduring WebSocketpreparation or file response sending (e.g. when a client disconnects
immediately after connecting). A
ConnectionResetErroris now raisedinstead -- by :user:
agners.Related issues and pull requests on GitHub:
#11761.
Fixed ad-hoc cookies passed to individual requests not being sent when the session's cookie jar has
unsafe=Trueand the target URL uses an IP address, by copying theunsafesetting from the session's cookie jar to the temporary cookie jar -- by :user:Krishnachaitanyakc.Related issues and pull requests on GitHub:
#12011.
Reset the WebSocket heartbeat timer on inbound data to avoid false ping/pong timeouts while receiving large frames
-- by :user:
hoffmang9.Related issues and pull requests on GitHub:
#12030.
Switched :py:meth:
~aiohttp.CookieJar.saveto use JSON format and:py:meth:
~aiohttp.CookieJar.loadto try JSON first with a fallback toa restricted pickle unpickler -- by :user:
YuvalElbar6.Related issues and pull requests on GitHub:
#12091.
Fixed redirects with consumed non-rewindable request bodies to raise
:class:
aiohttp.ClientPayloadErrorinstead of silently sending an empty body.Related issues and pull requests on GitHub:
#12195.
Fixed zstd decompression failing with
ClientPayloadErrorwhen the serversends a response as multiple zstd frames -- by :user:
josu-moreno.Related issues and pull requests on GitHub:
#12234.
Fixed spurious
Future exception was never retrievedwarning on disconnect during back-pressure -- by :user:availov.Related issues and pull requests on GitHub:
#12281.
Cookiejar.save()now uses0x600permissions to better protect them from being read by other users -- by :user:digiscrypt.Related issues and pull requests on GitHub:
#12312.
Fixed a crash (:external+python:exc:
~http.cookies.CookieError) in the cookie parser when receiving cookiescontaining ASCII control characters on CPython builds with the :cve:
2026-3644patch. The parser now gracefully skips cookies whose value contains control
characters instead of letting the exception propagate -- by :user:
rodrigobnogueira.Related issues and pull requests on GitHub:
#12395.
Fixed digest authentication failing for requests whose path or query string contains percent-encoded reserved characters; the digest signature now uses the encoded request-target that is sent on the wire instead of the decoded form -- by :user:
bdraco.Related issues and pull requests on GitHub:
#12436.
Fixed :func:
aiohttp.web.run_applosing inner traceback frames when anexception is raised during application startup (e.g. inside
cleanup_ctxoron_startup). Regression since 3.10.6.Related issues and pull requests on GitHub:
#12493.
Fixed per-request
cookiesnot being dropped on cross-origin redirects -- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12550.
Fixed invalid bytes being allowed in multipart/payload headers -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#12719.
Fixed :py:meth:
~aiohttp.FormData.add_fieldaccepting invalid bytes innameandfilename-- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12721.
Fixed websocket upgrade occurring when header contained a value like
notupgrade-- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12723.
Deprecations (removal in next major release)
Deprecated :class:
~aiohttp.BasicAuthand theauth/proxy_authparameters. They will be removed in aiohttp 4.0. Use the new
:func:
~aiohttp.encode_basic_authhelper together withheaders={"Authorization": ...}(orproxy_headers={"Proxy-Authorization": ...}for proxies) instead.Note that
encode_basic_auth()defaults toutf-8, notlatin1-- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#12499.
Added deprecation warning to
aiohttp.pytest_plugin, please switch topytest-aiohttp-- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#10785.
Removals and backward incompatible breaking changes
Stopped calling :func:
socket.getfqdnas the fallback for:attr:
aiohttp.web.BaseRequest.host. :func:socket.getfqdnperforms blocking reverse DNS resolution on the event loop
thread and can stall a worker for many seconds when the system
resolver is slow, and could be triggered remotely by an HTTP/1.0
request that omits the
Hostheader. The fallback when noHostheader is present is now the local socket address therequest arrived on (transport
sockname), or an empty stringif no transport information is available. Code that relied on
the FQDN being returned must now read it from
:func:
socket.getfqdndirectly, off the event loop-- by :user:
bdraco.Related issues and pull requests on GitHub:
#9308, #12597.
Dropped support for Python 3.9 -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#11601.
Tightened outbound header serialization to reject all ASCII control
characters forbidden by :rfc:
9110#section-5.5and :rfc:9112#section-4(
0x00-0x08,0x0A-0x1F,0x7F) in status lines,header field-names, and field-values. Previously only CR, LF and NUL were
rejected. HTAB (
0x09) remains permitted in field values. Applicationsthat placed bare control characters in outbound headers will now raise
:exc:
ValueErrorinstead of emitting non-RFC-compliant bytes -- by :user:rodrigobnogueira.Related issues and pull requests on GitHub:
#12689.
Improved documentation
Replaced the deprecated
ujsonlibrary withorjsonin theclient quickstart documentation.
ujsonhas been put intomaintenance-only mode;
orjsonis the recommended alternative.-- by :user:
indoor47Related issues and pull requests on GitHub:
#10795.
Added the :doc:
threat_modelto the Sphinx documentation -- by :user:omkar-334.Related issues and pull requests on GitHub:
#12549.
Removed archived and deprecated repositories from third party list -- by :user:
Polandia94.Related issues and pull requests on GitHub:
#12726.
Added
aiointerceptto list of third-party libraries -- by :user:Polandia94.Related issues and pull requests on GitHub:
#12727.
Packaging updates and notes for downstreams
Added wheels for Android and iOS platforms -- by :user:
timrid.Related issues and pull requests on GitHub:
#11750.
Parallelized the Cython extension compilation by defaulting
build_ext.paralleltoos.cpu_count(), so each module'sgccinvocation now runs concurrently instead of one at a time-- by :user:
bdraco.Related issues and pull requests on GitHub:
#12576.
Submitted vendored
llhttpto Github's SBOM -- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12678.
Updated
llhttpto v9.4.1 -- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12681.
Contributor-facing changes
The coverage tool is now configured using the new native
auto-discovered :file:
.coveragerc.tomlfile-- by :user:
webknjaz.It is also set up to use the
ctracecore that worksaround the performance issues in the
sysmontracerwhich is default under Python 3.14.
Related issues and pull requests on GitHub:
#11826.
Fixed and reworked
autobahntests -- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12173.
Added a CI job to measure Cython coverage -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#12349.
Disabled
coverageandxdistby default to ease local development -- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
#12364.
Avoid installation of backports.zstd on Python 3.14 in linting dependency set
-- by :user:
seifertm.Related issues and pull requests on GitHub:
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.