CVE-2026-34993
Code Execution via CookieJar.load in AIOHTTP
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aio-libs | aiohttp | to 3.14.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-34993 affects the aiohttp library versions prior to 3.14. It involves the CookieJar.load() function, which deserializes data. When this function loads untrusted or attacker-controlled data, it may allow arbitrary code execution due to unsafe deserialization.
This issue arises because the deserialization process can execute malicious code embedded in the data. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data).
The vulnerability requires local access, high privileges, and user interaction to exploit, and it has a moderate severity with a CVSS score of 6.4.
Version 3.14.0 of aiohttp patches this issue by introducing a restricted unpickler that only allows safe cookie-related types during deserialization and switching to JSON-based serialization by default.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to arbitrary code execution within the context of the application using aiohttp's CookieJar.load() method.
This means an attacker with local access and high privileges could execute malicious code, potentially compromising the integrity of the system.
The impact includes high integrity loss, with some loss of confidentiality and availability, although these are considered low.
However, most applications use this function with their own trusted data, so the risk is limited unless attacker-controlled files are loaded.
To mitigate the risk on older versions, sanitizing files before loading them is recommended if untrusted data must be handled.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the unsafe deserialization of untrusted data in the aiohttp library's CookieJar.load() function prior to version 3.14.0. Detection would focus on identifying usage of vulnerable aiohttp versions and whether untrusted or attacker-controlled pickle files are being loaded.
To detect if your system is vulnerable, you can check the aiohttp version installed by running the following command in your Python environment:
- python -c "import aiohttp; print(aiohttp.__version__)"
If the version is earlier than 3.14.0, your system may be vulnerable if it loads cookie data from untrusted sources.
Additionally, you can audit your application code or logs to see if CookieJar.load() is called with files or data that could be attacker-controlled.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the aiohttp library to version 3.14.0 or later, where the vulnerability has been patched.
If upgrading immediately is not possible, ensure that any files loaded by CookieJar.load() are sanitized and not attacker-controlled to prevent arbitrary code execution.
The patch in version 3.14.0 changes the serialization format to JSON by default and uses a restricted unpickler to prevent unsafe deserialization.
Therefore, updating to the fixed version is the most effective and recommended mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in aiohttp prior to version 3.14.0 involves arbitrary code execution through deserialization of untrusted data in the CookieJar.load() function. This can lead to high integrity loss, which may impact the security posture of applications handling sensitive data.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the potential for arbitrary code execution and integrity compromise could pose risks to data protection and privacy requirements mandated by these regulations.
Applications that process personal or sensitive data under these regulations should ensure they are not using vulnerable versions of aiohttp or must sanitize untrusted inputs before loading to mitigate risks that could lead to non-compliance due to data breaches or unauthorized data manipulation.