GHSA-63hf-3vf5-4wqf

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

Details

Summary

The C parser (the default for most installs) accepted null bytes and control characters is response headers.

Impact

An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin() may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.

Patch: https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4

Database specific

{
    "cwe_ids": [
        "CWE-113"
    ],
    "github_reviewed_at": "2026-04-01T21:49:06Z",
    "nvd_published_at": "2026-04-01T21:17:00Z",
    "github_reviewed": true,
    "severity": "LOW"
}

References

Affected packages

PyPI / aiohttp

Package

Name: aiohttp; View open source insights on deps.dev
Purl: pkg:pypi/aiohttp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.13.4

Affected versions

0.*

0.1

0.2

0.3

0.4

0.4.1

0.4.2

0.4.3

0.4.4

0.5.0

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.7.0

0.7.1

0.7.2

0.7.3

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.9.0

0.9.1

0.9.2

0.9.3

0.10.0

0.10.1

0.10.2

0.11.0

0.12.0

0.13.0

0.13.1

0.14.0

0.14.1

0.14.2

0.14.3

0.14.4

0.15.0

0.15.1

0.15.2

0.15.3

0.16.0

0.16.1

0.16.2

0.16.3

0.16.4

0.16.5

0.16.6

0.17.0

0.17.1

0.17.2

0.17.3

0.17.4

0.18.0

0.18.1

0.18.2

0.18.3

0.18.4

0.19.0

0.20.0

0.20.1

0.20.2

0.21.0

0.21.1

0.21.2

0.21.4

0.21.5

0.21.6

0.22.0a0

0.22.0b0

0.22.0b1

0.22.0b2

0.22.0b3

0.22.0b4

0.22.0b5

0.22.0b6

0.22.0

0.22.1

0.22.2

0.22.3

0.22.4

0.22.5

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.5

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.2.0

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

2.*

2.0.0rc1

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.1.0

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.3.0a1

2.3.0a2

2.3.0a3

2.3.0a4

2.3.0

2.3.1a1

2.3.1

2.3.2b2

2.3.2b3

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.3.10

3.*

3.0.0b0

3.0.0b1

3.0.0b2

3.0.0b3

3.0.0b4

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.1.0

3.1.1

3.1.2

3.1.3

3.2.0

3.2.1

3.3.0a0

3.3.0

3.3.1

3.3.2a0

3.3.2

3.4.0a0

3.4.0a3

3.4.0b1

3.4.0b2

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.5.0a1

3.5.0b1

3.5.0b2

3.5.0b3

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.6.0a0

3.6.0a1

3.6.0a2

3.6.0a3

3.6.0a4

3.6.0a5

3.6.0a6

3.6.0a7

3.6.0a8

3.6.0a9

3.6.0a11

3.6.0a12

3.6.0b0

3.6.0

3.6.1b3

3.6.1b4

3.6.1

3.6.2a0

3.6.2a1

3.6.2a2

3.6.2

3.6.3

3.7.0b0

3.7.0b1

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.7.4.post0

3.8.0a7

3.8.0b0

3.8.0

3.8.1

3.8.2

3.8.3

3.8.4

3.8.5

3.8.6

3.9.0b0

3.9.0b1

3.9.0rc0

3.9.0

3.9.1

3.9.2

3.9.3

3.9.4rc0

3.9.4

3.9.5

3.10.0b1

3.10.0rc0

3.10.0

3.10.1

3.10.2

3.10.3

3.10.4

3.10.5

3.10.6rc0

3.10.6rc1

3.10.6rc2

3.10.6

3.10.7

3.10.8

3.10.9

3.10.10

3.10.11rc0

3.10.11

3.11.0b0

3.11.0b1

3.11.0b2

3.11.0b3

3.11.0b4

3.11.0b5

3.11.0rc0

3.11.0rc1

3.11.0rc2

3.11.0

3.11.1

3.11.2

3.11.3

3.11.4

3.11.5

3.11.6

3.11.7

3.11.8

3.11.9

3.11.10

3.11.11

3.11.12

3.11.13

3.11.14

3.11.15

3.11.16

3.11.17

3.11.18

3.12.0b0

3.12.0b1

3.12.0b2

3.12.0b3

3.12.0rc0

3.12.0rc1

3.12.0

3.12.1rc0

3.12.1

3.12.2

3.12.3

3.12.4

3.12.6

3.12.7rc0

3.12.7

3.12.8

3.12.9

3.12.10

3.12.11

3.12.12

3.12.13

3.12.14

3.12.15

3.13.0

3.13.1

3.13.2

3.13.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-63hf-3vf5-4wqf/GHSA-63hf-3vf5-4wqf.json"

last_known_affected_version_range

"<= 3.13.3"