For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.
An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits.
An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.
Multiple Host headers were allowed in aiohttp.
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
Insufficient restrictions in header/trailer handling could cause uncapped memory usage.
When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.
A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.
An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits.
Stay updated with the latest patches and releases. Plan your sofware desisgn. Avoid common known vulnerabilities fixed by the open source community
Latest patch release: 3.11.18
Latest minor release: 3.13.5
Latest major release: 4.0.0a1
Maintain your licence declarations and avoid unwanted licences to protect your IP the way you intended.
Apache-1.0 - Apache License 1.0
