All aiohttp CVEs — Complete Vulnerability History
aiohttp is an async HTTP client and server framework for Python. CVEs here affect both client and server use cases. The directory traversal CVE (2024) is particularly serious.
PyPI
50M+ weekly downloads
3 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2023-37276 | 2023 | HIGH | HTTP request smuggling via chunk parsing | Fixed 3.8.5 |
| CVE-2023-47641 | 2023 | MEDIUM | URL redirect via HTTPS to HTTP downgrade | Fixed 3.9.0 |
| CVE-2024-23334 | 2024 | HIGH | Directory traversal in static file serving | Fixed 3.9.2 |
Current safe version: 3.9.3
# Before
"aiohttp==3.8.6"
# After
"aiohttp==3.9.3"
Then run: pip install -r requirements.txt
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Who is affected by the aiohttp directory traversal?
Any application using aiohttp's built-in static file serving with follow_symlinks=True. This is not the default but is a common configuration for serving static files in development. In production, use a reverse proxy for static files.
Does the aiohttp HTTP smuggling affect API servers?
Yes — CVE-2023-37276 affects any aiohttp server handling chunked transfer encoding, which is most deployments. Update to 3.8.5 or later.