AIOHTTP: HTTP response splitting via \r in reason phrase

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

Affected Products

Vendor	Product	Versions
aiohttp	aiohttp	< 3.13.4

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mwh4-6h8g-pg8w(x_refsource_CONFIRM)
https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b(x_refsource_MISC)
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4(x_refsource_MISC)

Related News (2 articles)

Tier B

CERT-FR21h ago

Multiples vulnérabilités dans les produits VMware (11 mai 2026)

→ No new info (linked only)

Tier C

VulDB39d ago

CVE-2026-34519 | aio-libs aiohttp up to 3.13.3 Reason response splitting (GHSA-mwh4-6h8g-pg8w)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

aiohttp@3.13.4

CWECWE-113

PublishedApr 1, 2026

Last enriched39d agov2

Trending Score46

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (4)

Version History

Last enriched 39d ago

v2Tier C39d ago

Updated exploit availability to false and marked the vulnerability as actively exploited.

activelyExploited

via VulDB

v139d ago

Initial creation