GHSA-c427-h43c-vf67

Suggest an improvement
Source
https://github.com/advisories/GHSA-c427-h43c-vf67
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-c427-h43c-vf67/GHSA-c427-h43c-vf67.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c427-h43c-vf67
Aliases
  • CVE-2026-34525
Related
Published
2026-04-01T21:49:45Z
Modified
2026-04-02T21:14:30.281347220Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
AIOHTTP accepts duplicate Host headers
Details

Summary

Multiple Host headers were allowed in aiohttp.

Impact

Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain().

Patch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349 Patch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:49:45Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-20",
        "CWE-444"
    ],
    "nvd_published_at": "2026-04-01T21:17:00Z"
}
References

Affected packages

PyPI / aiohttp

Package

Name
aiohttp
View open source insights on deps.dev
Purl
pkg:pypi/aiohttp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.13.4

Affected versions

0.*
0.1
0.2
0.3
0.4
0.4.1
0.4.2
0.4.3
0.4.4
0.5.0
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.7.0
0.7.1
0.7.2
0.7.3
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.10.2
0.11.0
0.12.0
0.13.0
0.13.1
0.14.0
0.14.1
0.14.2
0.14.3
0.14.4
0.15.0
0.15.1
0.15.2
0.15.3
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.16.6
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.19.0
0.20.0
0.20.1
0.20.2
0.21.0
0.21.1
0.21.2
0.21.4
0.21.5
0.21.6
0.22.0a0
0.22.0b0
0.22.0b1
0.22.0b2
0.22.0b3
0.22.0b4
0.22.0b5
0.22.0b6
0.22.0
0.22.1
0.22.2
0.22.3
0.22.4
0.22.5
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.5
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
2.*
2.0.0rc1
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3.0a1
2.3.0a2
2.3.0a3
2.3.0a4
2.3.0
2.3.1a1
2.3.1
2.3.2b2
2.3.2b3
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
3.*
3.0.0b0
3.0.0b1
3.0.0b2
3.0.0b3
3.0.0b4
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.1
3.1.2
3.1.3
3.2.0
3.2.1
3.3.0a0
3.3.0
3.3.1
3.3.2a0
3.3.2
3.4.0a0
3.4.0a3
3.4.0b1
3.4.0b2
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.5.0a1
3.5.0b1
3.5.0b2
3.5.0b3
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.6.0a0
3.6.0a1
3.6.0a2
3.6.0a3
3.6.0a4
3.6.0a5
3.6.0a6
3.6.0a7
3.6.0a8
3.6.0a9
3.6.0a11
3.6.0a12
3.6.0b0
3.6.0
3.6.1b3
3.6.1b4
3.6.1
3.6.2a0
3.6.2a1
3.6.2a2
3.6.2
3.6.3
3.7.0b0
3.7.0b1
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.7.4.post0
3.8.0a7
3.8.0b0
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.9.0b0
3.9.0b1
3.9.0rc0
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4rc0
3.9.4
3.9.5
3.10.0b1
3.10.0rc0
3.10.0
3.10.1
3.10.2
3.10.3
3.10.4
3.10.5
3.10.6rc0
3.10.6rc1
3.10.6rc2
3.10.6
3.10.7
3.10.8
3.10.9
3.10.10
3.10.11rc0
3.10.11
3.11.0b0
3.11.0b1
3.11.0b2
3.11.0b3
3.11.0b4
3.11.0b5
3.11.0rc0
3.11.0rc1
3.11.0rc2
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.11.5
3.11.6
3.11.7
3.11.8
3.11.9
3.11.10
3.11.11
3.11.12
3.11.13
3.11.14
3.11.15
3.11.16
3.11.17
3.11.18
3.12.0b0
3.12.0b1
3.12.0b2
3.12.0b3
3.12.0rc0
3.12.0rc1
3.12.0
3.12.1rc0
3.12.1
3.12.2
3.12.3
3.12.4
3.12.6
3.12.7rc0
3.12.7
3.12.8
3.12.9
3.12.10
3.12.11
3.12.12
3.12.13
3.12.14
3.12.15
3.13.0
3.13.1
3.13.2
3.13.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-c427-h43c-vf67/GHSA-c427-h43c-vf67.json"
last_known_affected_version_range 
"<= 3.13.3"