Skip to content

Update dependency aiohttp to v3.13.3 [SECURITY] #379

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency aiohttp to v3.13.3 [SECURITY] #379

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 6, 2026

This PR contains the following updates:

Package Change Age Confidence
aiohttp 3.12.143.13.3 age confidence

GitHub Vulnerability Alerts

CVE-2025-69223

Summary

A zip bomb can be used to execute a DoS against the aiohttp server.

Impact

An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.

Patch: aio-libs/aiohttp@2b920c3

CVE-2025-69224

Summary

The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: aio-libs/aiohttp@32677f2

CVE-2025-69225

Summary

The parser allows non-ASCII decimals to be present in the Range header.

Impact

There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.

Patch: aio-libs/aiohttp@c7b7a04

CVE-2025-69226

Summary

Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the
existence of absolute path components.

Impact

If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.

Patch: aio-libs/aiohttp@f2a86fd

CVE-2025-69227

Summary

When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.

Impact

If optimisations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message.

Patch: aio-libs/aiohttp@bc1319e

CVE-2025-69228

Summary

A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.

Impact

If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory.

Patch: aio-libs/aiohttp@b7dbd35

CVE-2025-69229

Summary

Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.

Impact

If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.

Patch: aio-libs/aiohttp@dc3170b
Patch: aio-libs/aiohttp@4ed97a4

CVE-2025-69230

Summary

Reading multiple invalid cookies can lead to a logging storm.

Impact

If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.

Patch: aio-libs/aiohttp@64629a0

Release Notes

aio-libs/aiohttp (aiohttp)

v3.13.3

Compare Source

===================

This release contains fixes for several vulnerabilities. It is advised to
upgrade as soon as possible.

Bug fixes

  • Fixed proxy authorization headers not being passed when reusing a connection, which caused 407 (Proxy authentication required) errors
    -- by :user:GLeurquin.

    Related issues and pull requests on GitHub:
    :issue:2596.

  • Fixed multipart reading failing when encountering an empty body part -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11857.

  • Fixed a case where the parser wasn't raising an exception for a websocket continuation frame when there was no initial frame in context.

    Related issues and pull requests on GitHub:
    :issue:11862.

Removals and backward incompatible breaking changes

  • Brotli and brotlicffi minimum version is now 1.2.
    Decompression now has a default maximum output size of 32MiB per decompress call -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11898.

Packaging updates and notes for downstreams

  • Moved dependency metadata from :file:setup.cfg to :file:pyproject.toml per :pep:621
    -- by :user:cdce8p.

    Related issues and pull requests on GitHub:
    :issue:11643.

Contributor-facing changes

  • Removed unused update-pre-commit github action workflow -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11689.

Miscellaneous internal changes

  • Optimized web server performance when access logging is disabled by reducing time syscalls -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10713.

  • Added regression test for cached logging status -- by :user:meehand.

    Related issues and pull requests on GitHub:
    :issue:11778.

v3.13.2: 3.13.2

Compare Source

Bug fixes

  • Fixed cookie parser to continue parsing subsequent cookies when encountering a malformed cookie that fails regex validation, such as Google's g_state cookie with unescaped quotes -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    #​11632.

  • Fixed loading netrc credentials from the default :file:~/.netrc (:file:~/_netrc on Windows) location when the :envvar:NETRC environment variable is not set -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    #​11713, #​11714.

  • Fixed WebSocket compressed sends to be cancellation safe. Tasks are now shielded during compression to prevent compressor state corruption. This ensures that the stateful compressor remains consistent even when send operations are cancelled -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    #​11725.

v3.13.1

Compare Source

===================

Features

  • Make configuration options in AppRunner also available in run_app()
    -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11633.

Bug fixes

  • Switched to backports.zstd for Python <3.14 and fixed zstd decompression for chunked zstd streams -- by :user:ZhaoMJ.

    Note: Users who installed zstandard for support on Python <3.14 will now need to install
    backports.zstd instead (installing aiohttp[speedups] will do this automatically).

    Related issues and pull requests on GitHub:
    :issue:11623.

  • Updated Content-Type header parsing to return application/octet-stream when header contains invalid syntax.
    See :rfc:9110#section-8.3-5.

    -- by :user:sgaist.

    Related issues and pull requests on GitHub:
    :issue:10889.

  • Fixed Python 3.14 support when built without zstd support -- by :user:JacobHenner.

    Related issues and pull requests on GitHub:
    :issue:11603.

  • Fixed blocking I/O in the event loop when using netrc authentication by moving netrc file lookup to an executor -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11634.

  • Fixed routing to a sub-application added via .add_domain() not working
    if the same path exists on the parent app. -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11673.

Packaging updates and notes for downstreams

  • Moved core packaging metadata from :file:setup.cfg to :file:pyproject.toml per :pep:621
    -- by :user:cdce8p.

    Related issues and pull requests on GitHub:
    :issue:9951.

v3.13.0

Compare Source

===================

Features

  • Added support for Python 3.14.

    Related issues and pull requests on GitHub:
    :issue:10851, :issue:10872.

  • Added support for free-threading in Python 3.14+ -- by :user:kumaraditya303.

    Related issues and pull requests on GitHub:
    :issue:11466, :issue:11464.

  • Added support for Zstandard (aka Zstd) compression
    -- by :user:KGuillaume-chaps.

    Related issues and pull requests on GitHub:
    :issue:11161.

  • Added StreamReader.total_raw_bytes to check the number of bytes downloaded
    -- by :user:robpats.

    Related issues and pull requests on GitHub:
    :issue:11483.

Bug fixes

  • Fixed pytest plugin to not use deprecated :py:mod:asyncio policy APIs.

    Related issues and pull requests on GitHub:
    :issue:10851.

  • Updated Content-Disposition header parsing to handle trailing semicolons and empty parts
    -- by :user:PLPeeters.

    Related issues and pull requests on GitHub:
    :issue:11243.

  • Fixed saved CookieJar failing to be loaded if cookies have partitioned flag when
    http.cookie does not have partitioned cookies supports. -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11523.

Improved documentation

  • Added Wireup to third-party libraries -- by :user:maldoinc.

    Related issues and pull requests on GitHub:
    :issue:11233.

Packaging updates and notes for downstreams

  • The blockbuster test dependency is now optional; the corresponding test fixture is disabled when it is unavailable
    -- by :user:musicinybrain.

    Related issues and pull requests on GitHub:
    :issue:11363.

  • Added riscv64 build to releases -- by :user:eshattow.

    Related issues and pull requests on GitHub:
    :issue:11425.

Contributor-facing changes

  • Fixed test_send_compress_text failing when alternative zlib implementation
    is used. (zlib-ng in python 3.14 windows build) -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11546.

v3.12.15

Compare Source

====================

Bug fixes

  • Fixed :class:~aiohttp.DigestAuthMiddleware to preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expecting algorithm=MD5-sess instead of algorithm=MD5-SESS)
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11352.

Improved documentation

  • Remove outdated contents of aiohttp-devtools and aiohttp-swagger
    from Web_advanced docs.
    -- by :user:Cycloctane

    Related issues and pull requests on GitHub:
    :issue:11347.

Packaging updates and notes for downstreams

  • Started including the llhttp :file:LICENSE file in wheels by adding vendor/llhttp/LICENSE to license-files in :file:setup.cfg -- by :user:threexc.

    Related issues and pull requests on GitHub:
    :issue:11226.

Contributor-facing changes

  • Updated a regex in test_aiohttp_request_coroutine for Python 3.14.

    Related issues and pull requests on GitHub:
    :issue:11271.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant