CVE-2026-34525
Multiple Host Header Vulnerability in AIOHTTP Before
Publication date: 2026-04-01
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aiohttp | aiohttp | to 3.13.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, involves the acceptance of multiple Host headers prior to version 3.13.4. This behavior was unintended and has been addressed in version 3.13.4.
How can this vulnerability impact me? :
Allowing multiple Host headers can lead to security issues such as request smuggling or confusion in how the server processes requests, potentially enabling attackers to bypass security controls or cause unexpected behavior.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade aiohttp to version 3.13.4 or later, where the issue allowing multiple Host headers has been patched.