GHSA-hg6j-4rv6-33pg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hg6j-4rv6-33pg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-hg6j-4rv6-33pg/GHSA-hg6j-4rv6-33pg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hg6j-4rv6-33pg
- Aliases
-
- CVE-2026-47265
- Downstream
- Related
- Published
- 2026-06-03T21:34:38Z
- Modified
- 2026-06-04T15:29:16.657025332Z
- Severity
-
- 6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
- Details
-
Summary
Cookies set with the
cookiesparameter on requests are sent after following a cross-origin redirect.Impact
If a developer uses the
cookiesparameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect.Workaround
If unable to upgrade, using a
Cookieheader in theheadersparameter is not vulnerable.
Patch: https://github.com/aio-libs/aiohttp/commit/f54c40851b0d6c4bbdab97ba518a223adda32478
- Database specific
{ "github_reviewed_at": "2026-06-03T21:34:38Z", "severity": "MODERATE", "cwe_ids": [ "CWE-346" ], "github_reviewed": true, "nvd_published_at": "2026-06-02T20:16:37Z" }- References
Affected packages
PyPI / aiohttp
Package
- Name
- aiohttp
- View open source insights on deps.dev
- Purl
- pkg:pypi/aiohttp
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.14.0
Affected versions
0.*
0.1
0.2
0.3
0.4
0.4.1
0.4.2
0.4.3
0.4.4
0.5.0
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.7.0
0.7.1
0.7.2
0.7.3
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.10.2
0.11.0
0.12.0
0.13.0
0.13.1
0.14.0
0.14.1
0.14.2
0.14.3
0.14.4
0.15.0
0.15.1
0.15.2
0.15.3
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.16.6
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.19.0
0.20.0
0.20.1
0.20.2
0.21.0
0.21.1
0.21.2
0.21.4
0.21.5
0.21.6
0.22.0a0
0.22.0b0
0.22.0b1
0.22.0b2
0.22.0b3
0.22.0b4
0.22.0b5
0.22.0b6
0.22.0
0.22.1
0.22.2
0.22.3
0.22.4
0.22.5
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.5
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
2.*
2.0.0rc1
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3.0a1
2.3.0a2
2.3.0a3
2.3.0a4
2.3.0
2.3.1a1
2.3.1
2.3.2b2
2.3.2b3
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
3.*
3.0.0b0
3.0.0b1
3.0.0b2
3.0.0b3
3.0.0b4
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.1
3.1.2
3.1.3
3.2.0
3.2.1
3.3.0a0
3.3.0
3.3.1
3.3.2a0
3.3.2
3.4.0a0
3.4.0a3
3.4.0b1
3.4.0b2
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.5.0a1
3.5.0b1
3.5.0b2
3.5.0b3
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.6.0a0
3.6.0a1
3.6.0a2
3.6.0a3
3.6.0a4
3.6.0a5
3.6.0a6
3.6.0a7
3.6.0a8
3.6.0a9
3.6.0a11
3.6.0a12
3.6.0b0
3.6.0
3.6.1b3
3.6.1b4
3.6.1
3.6.2a0
3.6.2a1
3.6.2a2
3.6.2
3.6.3
3.7.0b0
3.7.0b1
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.7.4.post0
3.8.0a7
3.8.0b0
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.9.0b0
3.9.0b1
3.9.0rc0
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4rc0
3.9.4
3.9.5
3.10.0b1
3.10.0rc0
3.10.0
3.10.1
3.10.2
3.10.3
3.10.4
3.10.5
3.10.6rc0
3.10.6rc1
3.10.6rc2
3.10.6
3.10.7
3.10.8
3.10.9
3.10.10
3.10.11rc0
3.10.11
3.11.0b0
3.11.0b1
3.11.0b2
3.11.0b3
3.11.0b4
3.11.0b5
3.11.0rc0
3.11.0rc1
3.11.0rc2
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.11.5
3.11.6
3.11.7
3.11.8
3.11.9
3.11.10
3.11.11
3.11.12
3.11.13
3.11.14
3.11.15
3.11.16
3.11.17
3.11.18
3.12.0b0
3.12.0b1
3.12.0b2
3.12.0b3
3.12.0rc0
3.12.0rc1
3.12.0
3.12.1rc0
3.12.1
3.12.2
3.12.3
3.12.4
3.12.6
3.12.7rc0
3.12.7
3.12.8
3.12.9
3.12.10
3.12.11
3.12.12
3.12.13
3.12.14
3.12.15
3.13.0
3.13.1
3.13.2
3.13.3
3.13.4
3.13.5