Skip to content

VULN UPGRADE: aiohttp (major → 3.13.3) [python/aiohttp/simple_app]#169

Open
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/major/pip/simple_app/0-1773067580
Open

VULN UPGRADE: aiohttp (major → 3.13.3) [python/aiohttp/simple_app]#169
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/major/pip/simple_app/0-1773067580

Conversation

@campaigner-prod
Copy link

@campaigner-prod campaigner-prod bot commented Mar 9, 2026

Summary: High-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

  • python/aiohttp/simple_app (pip)

Updates

Package From To Type Vulnerabilities Fixed
aiohttp 1.2.0 3.13.3 major 7 HIGH, 18 MODERATE, 8 MEDIUM, 16 LOW

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (7 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
aiohttp CVE-2023-49081 high aiohttp's ClientSession is vulnerable to CRLF injection via version 1.2.0 -
aiohttp CVE-2024-30251 HIGH Denial of service when trying to parse malformed POST requests in aiohttp 1.2.0 -
aiohttp GHSA-5m98-qgg9-wh84 HIGH aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests 1.2.0 3.9.4
aiohttp GHSA-5h86-8mv2-jq9f HIGH aiohttp is vulnerable to directory traversal 1.2.0 3.9.2
aiohttp PYSEC-2023-250 high - 1.2.0 1e86b777e61cf4eefc7d92fa57fa19dcc676013b
aiohttp GHSA-6mq8-rvhq-8wgg HIGH AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb 1.2.0 3.13.3
aiohttp CVE-2025-69223 HIGH AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb 1.2.0 -
ℹ️ Other Vulnerabilities (42)
Package CVE Severity Summary Unsafe Version Fixed In
aiohttp PYSEC-2023-251 medium - 1.2.0 e4ae01c2077d2cfa116aa82e4ff6866857f7c466
aiohttp CVE-2023-37276 medium aiohttp vulnerable to HTTP request smuggling 1.2.0 -
aiohttp PYSEC-2023-120 medium aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser 1.2.0 3.8.5
aiohttp PYSEC-2024-26 medium - 1.2.0 33ccdfb0a12690af5bb49bda2319ec0907fa7827
aiohttp CVE-2024-23829 medium aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators 1.2.0 -
aiohttp CVE-2023-49082 medium aiohttp's ClientSession is vulnerable to CRLF injection via method 1.2.0 -
aiohttp CVE-2024-23334 medium aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal 1.2.0 -
aiohttp PYSEC-2024-24 medium - 1.2.0 1c335944d6a8b1298baf179b7c0b3069f10c514b
aiohttp GHSA-qvrw-v9rv-5rjx MODERATE aiohttp's ClientSession is vulnerable to CRLF injection via method 1.2.0 3.9.0
aiohttp CVE-2025-69228 MODERATE AIOHTTP vulnerable to denial of service through large payloads 1.2.0 -
aiohttp GHSA-7gpw-8wmc-pm8g MODERATE aiohttp Cross-site Scripting vulnerability on index pages for static file handling 1.2.0 3.9.4
aiohttp GHSA-jj3x-wxrx-4x23 MODERATE AIOHTTP vulnerable to DoS when bypassing asserts 1.2.0 3.13.3
aiohttp GHSA-8qpw-xqxj-h4r2 MODERATE aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators 1.2.0 3.9.2
aiohttp CVE-2025-69229 MODERATE AIOHTTP vulnerable to DoS through chunked messages 1.2.0 -
aiohttp GHSA-g84x-mcqj-x9qq MODERATE AIOHTTP vulnerable to DoS through chunked messages 1.2.0 3.13.3
aiohttp CVE-2024-52304 MODERATE aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions 1.2.0 -
aiohttp GHSA-8495-4g3g-x7pr MODERATE aiohttp allows request smuggling due to incorrect parsing of chunk extensions 1.2.0 3.10.11
aiohttp GHSA-q3qx-c6g2-7pw2 MODERATE aiohttp's ClientSession is vulnerable to CRLF injection via version 1.2.0 3.9.0
aiohttp GHSA-pjjw-qhg8-p2p9 MODERATE aiohttp has vulnerable dependency that is vulnerable to request smuggling 1.2.0 3.8.6
aiohttp GHSA-gfw2-4jvh-wgfg MODERATE AIOHTTP has problems in HTTP parser (the python one, not llhttp) 1.2.0 3.8.6
aiohttp CVE-2023-47627 MODERATE Request smuggling in aiohttp 1.2.0 -
aiohttp PYSEC-2023-246 MODERATE - 1.2.0 d5c12ba890557a575c313bb3017910d7616fce3d
aiohttp GHSA-6jhg-hg63-jvvf MODERATE AIOHTTP vulnerable to denial of service through large payloads 1.2.0 3.13.3
aiohttp GHSA-45c4-8wx5-qw6w MODERATE aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser 1.2.0 3.8.5
aiohttp CVE-2025-69227 MODERATE AIOHTTP vulnerable to DoS when bypassing asserts 1.2.0 -
aiohttp CVE-2024-27306 MODERATE aiohttp vulnerable to XSS on index pages for static file handling 1.2.0 -
aiohttp PYSEC-2021-76 LOW - 1.2.0 2545222a3853e31ace15d87ae0e2effb7da0c96b
aiohttp GHSA-v6wp-4m6f-gcjg LOW aiohttp Open Redirect vulnerability (normalize_path_middleware middleware) 1.2.0 3.7.4
aiohttp CVE-2021-21330 LOW - 1.2.0 -
aiohttp CVE-2025-69230 LOW AIOHTTP Vulnerable to Cookie Parser Warning Storm 1.2.0 -
aiohttp GHSA-fh55-r93g-j68g LOW AIOHTTP Vulnerable to Cookie Parser Warning Storm 1.2.0 3.13.3
aiohttp GHSA-mqqc-3gqh-h2x8 LOW AIOHTTP has unicode match groups in regexes for ASCII protocol elements 1.2.0 3.13.3
aiohttp GHSA-9548-qrrj-x5pj LOW AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections 1.2.0 3.12.14
aiohttp CVE-2025-53643 LOW AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections 1.2.0 -
aiohttp CVE-2025-69225 LOW AIOHTTP Regex Mismatch Allows Unicode in ASCII-Only Protocol Fields 1.2.0 -
aiohttp PYSEC-2023-247 LOW - 1.2.0 f016f0680e4ace6742b03a70cb0382ce86abe371
aiohttp GHSA-69f9-5gxw-wvc2 LOW AIOHTTP's unicode processing of header values could cause parsing discrepancies 1.2.0 3.13.3
aiohttp CVE-2025-69224 LOW AIOHTTP's Unicode processing of header values could cause parsing discrepancies 1.2.0 -
aiohttp GHSA-54jq-c3m8-4m76 LOW AIOHTTP vulnerable to brute-force leak of internal static file path components 1.2.0 3.13.3
aiohttp CVE-2025-69226 LOW AIOHTTP allows for a brute-force leak of internal static filepath components 1.2.0 -
aiohttp CVE-2023-47641 LOW Inconsistent interpretation of Content-Length vs. Transfer-Encoding in aiohttp 1.2.0 -
aiohttp GHSA-xx9p-xxvh-7g8j LOW Aiohttp has inconsistent interpretation of Content-Length vs. Transfer-Encoding differing in C and Python fallbacks 1.2.0 3.8.0
⚠️ Dependencies that have Reached EOL (1)
Dependency Unsafe Version EOL Date New Version Path
aiohttp 1.2.0 - 3.13.3 python/aiohttp/simple_app/requirements.txt

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod bot marked this pull request as ready for review March 11, 2026 20:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-high-severity adms-low-severity adms-major-update adms-medium-severity adms-mode-all-updates adms-python campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants