{"schema_version":"1.7.2","id":"OESA-2026-2194","modified":"2026-05-03T09:58:07Z","published":"2026-05-03T09:58:07Z","upstream":["CVE-2026-22815","CVE-2026-34513","CVE-2026-34514","CVE-2026-34516","CVE-2026-34517","CVE-2026-34518","CVE-2026-34519","CVE-2026-34520","CVE-2026-34525"],"summary":"python-aiohttp security update","details":"Async http client/server framework (asyncio).\r\n\r\nSecurity Fix(es):\n\nInsufficient restrictions in header/trailer handling could cause uncapped memory usage.(CVE-2026-22815)\n\nAn unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.(CVE-2026-34513)\n\nAn attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits.(CVE-2026-34514)\n\nA response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.(CVE-2026-34516)\n\nFor some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.(CVE-2026-34517)\n\nWhen following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.(CVE-2026-34518)\n\naiohttp is vulnerable to HTTP response splitting attacks. An attacker can insert carriage return (\\r) characters in the reason phrase to craft malicious responses, leading to response splitting attacks. This vulnerability affects aiohttp versions up to and including 3.13.3.(CVE-2026-34519)\n\nThe llhttp parser in aiohttp accepts null bytes and control characters in response header values, which could allow attackers to perform HTTP header injection attacks and bypass security restrictions.(CVE-2026-34520)\n\naiohttp is a Python asynchronous HTTP client/server framework. In version 3.13.3 and earlier, there is a security vulnerability that allows accepting duplicate Host headers, which may lead to HTTP request smuggling attacks. Attackers could exploit this vulnerability to bypass security controls or perform man-in-the-middle attacks.(CVE-2026-34525)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS","name":"python-aiohttp","purl":"pkg:rpm/openEuler/python-aiohttp&distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.13.5-1.oe2403"}]}],"ecosystem_specific":{"aarch64":["python-aiohttp-debuginfo-3.13.5-1.oe2403.aarch64.rpm","python-aiohttp-debugsource-3.13.5-1.oe2403.aarch64.rpm","python-aiohttp-help-3.13.5-1.oe2403.aarch64.rpm","python3-aiohttp-3.13.5-1.oe2403.aarch64.rpm"],"src":["python-aiohttp-3.13.5-1.oe2403.src.rpm"],"x86_64":["python-aiohttp-debuginfo-3.13.5-1.oe2403.x86_64.rpm","python-aiohttp-debugsource-3.13.5-1.oe2403.x86_64.rpm","python-aiohttp-help-3.13.5-1.oe2403.x86_64.rpm","python3-aiohttp-3.13.5-1.oe2403.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2194"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22815"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34513"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34514"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34516"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34517"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34518"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34519"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34520"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34525"}],"database_specific":{"severity":"Medium"}}