CVE-2026-34525: AIOHTTP accepts duplicate Host headers
Multiple Host headers were allowed in aiohttp.
References
- github.com/advisories/GHSA-c427-h43c-vf67
- github.com/aio-libs/aiohttp
- github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000
- github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349
- github.com/aio-libs/aiohttp/releases/tag/v3.13.4
- github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67
- nvd.nist.gov/vuln/detail/CVE-2026-34525
Code Behaviors & Features
Detect and mitigate CVE-2026-34525 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →