CVE-2026-34520
Null Byte Injection in AIOHTTP C Parser Allows Header Manipulation
Publication date: 2026-04-01
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aiohttp | aiohttp | to 3.13.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser used by AIOHTTP accepted null bytes and control characters in response headers, which is not expected behavior. This issue was fixed in version 3.13.4.
How can this vulnerability impact me? :
Accepting null bytes and control characters in response headers can lead to unexpected behavior in applications using AIOHTTP. This may cause security issues such as header injection or improper parsing of HTTP responses, potentially leading to information disclosure or other security risks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the AIOHTTP package to version 3.13.4 or later, where the issue with the C parser accepting null bytes and control characters in response headers has been patched.