AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.

Affected Products

Vendor	Product	Versions
aiohttp	aiohttp	< 3.13.4

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf(x_refsource_CONFIRM)
https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4(x_refsource_MISC)
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4(x_refsource_MISC)

Related News (2 articles)

Tier B

CERT-FR20h ago

Multiples vulnérabilités dans les produits VMware (11 mai 2026)

→ No new info (linked only)

Tier C

VulDB39d ago

CVE-2026-34520 | aio-libs aiohttp up to 3.13.3 Control Character response splitting (GHSA-63hf-3vf5-4wqf)

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

aiohttp@3.13.4

CWECWE-113

PublishedApr 1, 2026

Last enriched39d agov2

Trending Score64

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

Version History

Last enriched 39d ago

v2Tier C39d ago

Updated description with new details, changed severity to HIGH, and noted that no exploit is available.

descriptionseverityactivelyExploited

via VulDB

v139d ago

Initial creation

AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass

Description

Affected Products

References

Related News (2 articles)

Community Vote

Related CVEs (4)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History