Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Aiohttp Project Subscribe
Filtered by product Aiohttp
Total 2 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-21330 3 Aiohttp Project, Debian, Fedoraproject 3 Aiohttp, Debian Linux, Fedora 2023-02-03 5.8 MEDIUM 6.1 MEDIUM
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.
CVE-2022-33124 1 Aiohttp Project 1 Aiohttp 2022-07-01 4.3 MEDIUM 5.5 MEDIUM
** DISPUTED ** AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application.