AIOHTTP: UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.

Affected Products

Vendor	Product	Versions
aiohttp	aiohttp	< 3.13.4

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-p998-jp59-783m(x_refsource_CONFIRM)
https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d(x_refsource_MISC)
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4(x_refsource_MISC)

Related News (2 articles)

Tier B

CERT-FR21h ago

Multiples vulnérabilités dans les produits VMware (11 mai 2026)

→ No new info (linked only)

Tier C

VulDB39d ago

CVE-2026-34515 | aio-libs aiohttp up to 3.13.3 on Windows absolute path traversal (GHSA-p998-jp59-783m)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

aiohttp@3.13.4

CWECWE-36, CWE-918

PublishedApr 1, 2026

Last enriched39d agov2

Trending Score55

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (4)

Version History

Last enriched 39d ago

v2Tier C39d ago

Updated description with new details about absolute path traversal and changed exploit availability to false.

descriptionactivelyExploited

via VulDB

v140d ago

Initial creation