------------------------------------------------------------------------- Debian LTS Advisory DLA-4613-1 [email protected] https://www.debian.org/lts/security/ Daniel Leidert June 01, 2026 https://wiki.debian.org/LTS -------------------------------------------------------------------------
Package : python-aiohttp
Version : 3.7.4-1+deb11u2
CVE ID : CVE-2025-53643 CVE-2025-69224 CVE-2025-69225 CVE-2025-69226
CVE-2025-69227 CVE-2025-69228 CVE-2025-69229 CVE-2026-22815
CVE-2026-34513 CVE-2026-34514 CVE-2026-34516 CVE-2026-34517
CVE-2026-34518 CVE-2026-34519 CVE-2026-34520 CVE-2026-34525
Several vulnerabilities have been found in aiohttp, an asynchronous
HTTP client/server framework for asyncio and Python.
CVE-2025-53643
Request smuggling vulnerability due to not parsing trailer sections
of an HTTP request.
CVE-2025-69224
Possible request smuggling attack in the HTTP parser with the
presence of non-ASCII characters.
CVE-2025-69225
Parser logic which allows non-ASCII decimals to be present in the
Range header.
CVE-2025-69226
Path traversal vulnerability that allows an attacker to ascertain
the existence of path components.
CVE-2025-69227
When processing a POST body, an infinite loop can occur when assert
statements are bypassed leading to a possible DoS attack.
CVE-2025-69228
Possible DoS attack that can freeze the server by exhausting the
memory using Request.post().
CVE-2025-69229
The handling of chunked messages that can result in an excessive
blocking of CPU usage when receiving a large number of chunks.
CVE-2026-22815
Uncapped memory usage due to insufficient restrictions in header and
trailer handling.
CVE-2026-34513
Excessive memory usage possibly resulting in a DoS due to an an
unbounded DNS cache.
CVE-2026-34514
Header injection.
CVE-2026-34516
Potential DoS vulnerability caused by a response with an excessive
number of multipart headers.
CVE-2026-34517
Possible excessive memory usage caused by some multipart form fields
due to reading the entiry field into memory before checking
client_max_size.
CVE-2026-34518
Leaking sensitive information by dropping the Cookie and the Proxy-
Authorization headers When following redirects to a different
origin.
CVE-2026-34519
Header injection via the reason parameter.
CVE-2026-34520
Possible security bypass by checking header values for control
characters accordingly to RFC 9110.
CVE-2026-34525
Headers can be duplicated, e.g. the host header.
For Debian 11 bullseye, these problems have been fixed in version
3.7.4-1+deb11u2.
We recommend that you upgrade your python-aiohttp packages.
For the detailed security status of python-aiohttp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-aiohttp
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
signature.asc
Description: This is a digitally signed message part
