Skip to content

chore(deps): update dependency aiohttp to v3.13.3 [security]#47

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-aiohttp-vulnerability
Open

chore(deps): update dependency aiohttp to v3.13.3 [security]#47
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-aiohttp-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 20, 2026

Copy link
Copy Markdown

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
aiohttp ==3.8.6==3.13.3 age confidence

aiohttp's ClientSession is vulnerable to CRLF injection via method

CVE-2023-49082 / GHSA-qvrw-v9rv-5rjx

More information

Details

Summary

Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.

Details

The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.

Previous releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.

PoC

A minimal example can be found here:
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b

Impact

If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).

Workaround

If unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).

Patch: https://github.com/aio-libs/aiohttp/pull/7806/files

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp's ClientSession is vulnerable to CRLF injection via version

CVE-2023-49081 / GHSA-q3qx-c6g2-7pw2

More information

Details

Summary

Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version.

Details

The vulnerability only occurs if the attacker can control the HTTP version of the request (including its type).
For example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the version parameter.
Furthermore, the vulnerability only occurs when the Connection header is passed to the headers parameter.

At this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection.

PoC

The POC below shows an example of providing an unvalidated array as a version:
https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e

Impact

CRLF injection leading to Request Smuggling.

Workaround

If these specific conditions are met and you are unable to upgrade, then validate the user input to the version parameter to ensure it is a str.

Patch: https://github.com/aio-libs/aiohttp/pull/7835/files

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators

CVE-2024-23829 / GHSA-8qpw-xqxj-h4r2

More information

Details

Summary

Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.

Details

These problems are rooted in pattern matching protocol elements, previously improved by PR #​3235 and GHSA-gfw2-4jvh-wgfg:

  1. The expression HTTP/(\d).(\d) lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result: HTTP/(\d)\.(\d)).

  2. The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.

  3. Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 token.

PoC

GET / HTTP/1ö1
GET / HTTP/1.𝟙
GET/: HTTP/1.1
Content-Encoding?: chunked

Impact

Primarily concerns running an aiohttp server without llhttp:

  1. behind a proxy: Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling.
  2. directly accessible or exposed behind proxies relaying malformed input: the unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities.

Patch: https://github.com/aio-libs/aiohttp/pull/8074/files

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp is vulnerable to directory traversal

CVE-2024-23334 / GHSA-5h86-8mv2-jq9f

More information

Details

Summary

Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.

Details

When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.

i.e. An application is only vulnerable with setup code like:

app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to avoid the vulnerability
])
Impact

This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with follow_symlinks set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of the follow_symlinks parameter.

Workaround

Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.

If using follow_symlinks=True outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.

Additionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.


Patch: https://github.com/aio-libs/aiohttp/pull/8079/files

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp Cross-site Scripting vulnerability on index pages for static file handling

CVE-2024-27306 / GHSA-7gpw-8wmc-pm8g

More information

Details

Summary

A XSS vulnerability exists on index pages for static file handling.

Details

When using web.static(..., show_index=True), the resulting index pages do not escape file names.

If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.

Workaround

We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.

Other users can disable show_index if unable to upgrade.


Patch: https://github.com/aio-libs/aiohttp/pull/8319/files

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests

CVE-2024-30251 / GHSA-5m98-qgg9-wh84

More information

Details

Summary

An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.

Impact

An attacker can stop the application from serving requests after sending a single request.


For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in _read_chunk_from_length()):

diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
index 227be605c..71fc2654a 100644
--- a/aiohttp/multipart.py
+++ b/aiohttp/multipart.py
@​@​ -338,6 +338,8 @​@​ class BodyPartReader:
         assert self._length is not None, "Content-Length required for chunked read"
         chunk_size = min(size, self._length - self._read_bytes)
         chunk = await self._content.read(chunk_size)
+        if self._content.at_eof():
+            self._at_eof = True
         return chunk
 
     async def _read_chunk_from_stream(self, size: int) -> bytes:

This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:
aio-libs/aiohttp@cebe526
aio-libs/aiohttp@7eecdff
aio-libs/aiohttp@f21c6f2

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


aiohttp allows request smuggling due to incorrect parsing of chunk extensions

CVE-2024-52304 / GHSA-8495-4g3g-x7pr

More information

Details

Summary

The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.


Patch: aio-libs/aiohttp@259edc3

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections

CVE-2025-53643 / GHSA-9548-qrrj-x5pj

More information

Details

Summary

The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.


Patch: aio-libs/aiohttp@e8d774f

Severity

  • CVSS Score: 1.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP's unicode processing of header values could cause parsing discrepancies

CVE-2025-69224 / GHSA-69f9-5gxw-wvc2

More information

Details

Summary

The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.


Patch: aio-libs/aiohttp@32677f2

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb

CVE-2025-69223 / GHSA-6mq8-rvhq-8wgg

More information

Details

Summary

A zip bomb can be used to execute a DoS against the aiohttp server.

Impact

An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.


Patch: aio-libs/aiohttp@2b920c3

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP has unicode match groups in regexes for ASCII protocol elements

CVE-2025-69225 / GHSA-mqqc-3gqh-h2x8

More information

Details

Summary

The parser allows non-ASCII decimals to be present in the Range header.

Impact

There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.


Patch: aio-libs/aiohttp@c7b7a04

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP vulnerable to brute-force leak of internal static file path components

CVE-2025-69226 / GHSA-54jq-c3m8-4m76

More information

Details

Summary

Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the
existence of absolute path components.

Impact

If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.


Patch: aio-libs/aiohttp@f2a86fd

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP vulnerable to denial of service through large payloads

CVE-2025-69228 / GHSA-6jhg-hg63-jvvf

More information

Details

Summary

A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.

Impact

If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory.


Patch: aio-libs/aiohttp@b7dbd35

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AIOHTTP vulnerable to DoS when bypassing asserts

CVE-2025-69227 / GHSA-jj3x-wxrx-4x23

More information

Details

Summary

When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.

Impact

If optimisations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message.


Patch: aio-libs/aiohttp@bc1319e

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

aio-libs/aiohttp (aiohttp)

v3.13.3

Compare Source

===================

This release contains fixes for several vulnerabilities. It is advised to
upgrade as soon as possible.

Bug fixes

  • Fixed proxy authorization headers not being passed when reusing a connection, which caused 407 (Proxy authentication required) errors
    -- by :user:GLeurquin.

    Related issues and pull requests on GitHub:
    :issue:2596.

  • Fixed multipart reading failing when encountering an empty body part -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11857.

  • Fixed a case where the parser wasn't raising an exception for a websocket continuation frame when there was no initial frame in context.

    Related issues and pull requests on GitHub:
    :issue:11862.

Removals and backward incompatible breaking changes

  • Brotli and brotlicffi minimum version is now 1.2.
    Decompression now has a default maximum output size of 32MiB per decompress call -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11898.

Packaging updates and notes for downstreams

  • Moved dependency metadata from :file:setup.cfg to :file:pyproject.toml per :pep:621
    -- by :user:cdce8p.

    Related issues and pull requests on GitHub:
    :issue:11643.

Contributor-facing changes

  • Removed unused update-pre-commit github action workflow -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11689.

Miscellaneous internal changes

  • Optimized web server performance when access logging is disabled by reducing time syscalls -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10713.

  • Added regression test for cached logging status -- by :user:meehand.

    Related issues and pull requests on GitHub:
    :issue:11778.


v3.13.2: 3.13.2

Compare Source

Bug fixes

  • Fixed cookie parser to continue parsing subsequent cookies when encountering a malformed cookie that fails regex validation, such as Google's g_state cookie with unescaped quotes -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    #​11632.

  • Fixed loading netrc credentials from the default :file:~/.netrc (:file:~/_netrc on Windows) location when the :envvar:NETRC environment variable is not set -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    #​11713, #​11714.

  • Fixed WebSocket compressed sends to be cancellation safe. Tasks are now shielded during compression to prevent compressor state corruption. This ensures that the stateful compressor remains consistent even when send operations are cancelled -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    #​11725.


v3.13.1

Compare Source

===================

Features

  • Make configuration options in AppRunner also available in run_app()
    -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11633.

Bug fixes

  • Switched to backports.zstd for Python <3.14 and fixed zstd decompression for chunked zstd streams -- by :user:ZhaoMJ.

    Note: Users who installed zstandard for support on Python <3.14 will now need to install
    backports.zstd instead (installing aiohttp[speedups] will do this automatically).

    Related issues and pull requests on GitHub:
    :issue:11623.

  • Updated Content-Type header parsing to return application/octet-stream when header contains invalid syntax.
    See :rfc:9110#section-8.3-5.

    -- by :user:sgaist.

    Related issues and pull requests on GitHub:
    :issue:10889.

  • Fixed Python 3.14 support when built without zstd support -- by :user:JacobHenner.

    Related issues and pull requests on GitHub:
    :issue:11603.

  • Fixed blocking I/O in the event loop when using netrc authentication by moving netrc file lookup to an executor -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11634.

  • Fixed routing to a sub-application added via .add_domain() not working
    if the same path exists on the parent app. -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11673.

Packaging updates and notes for downstreams

  • Moved core packaging metadata from :file:setup.cfg to :file:pyproject.toml per :pep:621
    -- by :user:cdce8p.

    Related issues and pull requests on GitHub:
    :issue:9951.


v3.13.0

Compare Source

===================

Features

  • Added support for Python 3.14.

    Related issues and pull requests on GitHub:
    :issue:10851, :issue:10872.

  • Added support for free-threading in Python 3.14+ -- by :user:kumaraditya303.

    Related issues and pull requests on GitHub:
    :issue:11466, :issue:11464.

  • Added support for Zstandard (aka Zstd) compression
    -- by :user:KGuillaume-chaps.

    Related issues and pull requests on GitHub:
    :issue:11161.

  • Added StreamReader.total_raw_bytes to check the number of bytes downloaded
    -- by :user:robpats.

    Related issues and pull requests on GitHub:
    :issue:11483.

Bug fixes

  • Fixed pytest plugin to not use deprecated :py:mod:asyncio policy APIs.

    Related issues and pull requests on GitHub:
    :issue:10851.

  • Updated Content-Disposition header parsing to handle trailing semicolons and empty parts
    -- by :user:PLPeeters.

    Related issues and pull requests on GitHub:
    :issue:11243.

  • Fixed saved CookieJar failing to be loaded if cookies have partitioned flag when
    http.cookie does not have partitioned cookies supports. -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11523.

Improved documentation

  • Added Wireup to third-party libraries -- by :user:maldoinc.

    Related issues and pull requests on GitHub:
    :issue:11233.

Packaging updates and notes for downstreams

  • The blockbuster test dependency is now optional; the corresponding test fixture is disabled when it is unavailable
    -- by :user:musicinybrain.

    Related issues and pull requests on GitHub:
    :issue:11363.

  • Added riscv64 build to releases -- by :user:eshattow.

    Related issues and pull requests on GitHub:
    :issue:11425.

Contributor-facing changes

  • Fixed test_send_compress_text failing when alternative zlib implementation
    is used. (zlib-ng in python 3.14 windows build) -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11546.


v3.12.15

Compare Source

====================

Bug fixes

  • Fixed :class:~aiohttp.DigestAuthMiddleware to preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expecting algorithm=MD5-sess instead of algorithm=MD5-SESS)
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11352.

Improved documentation

  • Remove outdated contents of aiohttp-devtools and aiohttp-swagger
    from Web_advanced docs.
    -- by :user:Cycloctane

    Related issues and pull requests on GitHub:
    :issue:11347.

Packaging updates and notes for downstreams

  • Started including the llhttp :file:LICENSE file in wheels by adding vendor/llhttp/LICENSE to license-files in :file:setup.cfg -- by :user:threexc.

    Related issues and pull requests on GitHub:
    :issue:11226.

Contributor-facing changes

  • Updated a regex in test_aiohttp_request_coroutine for Python 3.14.

    Related issues and pull requests on GitHub:
    :issue:11271.


v3.12.14

Compare Source

====================

Bug fixes

  • Fixed file uploads failing with HTTP 422 errors when encountering 307/308 redirects, and 301/302 redirects for non-POST methods, by preserving the request body when appropriate per :rfc:9110#section-15.4.3-3.1 -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11270.

  • Fixed :py:meth:ClientSession.close() <aiohttp.ClientSession.close> hanging indefinitely when using HTTPS requests through HTTP proxies -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11273.

  • Bumped minimum version of aiosignal to 1.4+ to resolve typing issues -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11280.

Features

  • Added initial trailer parsing logic to Python HTTP parser -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11269.

Improved documentation

  • Clarified exceptions raised by WebSocketResponse.send_frame et al.
    -- by :user:DoctorJohn.

    Related issues and pull requests on GitHub:
    :issue:11234.


v3.12.13

Compare Source

====================

Bug fixes

  • Fixed auto-created :py:class:~aiohttp.TCPConnector not using the session's event loop when :py:class:~aiohttp.ClientSession is created without an explicit connector -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11147.


v3.12.12

Compare Source

====================

Bug fixes

  • Fixed cookie unquoting to properly handle octal escape sequences in cookie values (e.g., \012 for newline) by vendoring the correct _unquote implementation from Python's http.cookies module -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11173.

  • Fixed Cookie header parsing to treat attribute names as regular cookies per :rfc:6265#section-5.4 -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11178.


v3.12.11

Compare Source

====================

Features

  • Improved SSL connection handling by changing the default ssl_shutdown_timeout
    from 0.1 to 0 seconds. SSL connections now use Python's default graceful
    shutdown during normal operation but are aborted immediately when the connector
    is closed, providing optimal behavior for both cases. Also added support for
    ssl_shutdown_timeout=0 on all Python versions. Previously, this value was
    rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
    Python < 3.11 now trigger a RuntimeWarning -- by :user:bdraco.

    The ssl_shutdown_timeout parameter is now deprecated and will be removed in
    aiohttp 4.0 as there is no clear use case for changing the default.

    Related issues and pull requests on GitHub:
    :issue:11148.

Deprecations (removal in next major release)

  • Improved SSL connection handling by changing the default ssl_shutdown_timeout
    from 0.1 to 0 seconds. SSL connections now use Python's default graceful
    shutdown during normal operation but are aborted immediately when the connector
    is closed, providing optimal behavior for both cases. Also added support for
    ssl_shutdown_timeout=0 on all Python versions. Previously, this value was
    rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
    Python < 3.11 now trigger a RuntimeWarning -- by :user:bdraco.

    The ssl_shutdown_timeout parameter is now deprecated and will be removed in
    aiohttp 4.0 as there is no clear use case for changing the default.

    Related issues and pull requests on GitHub:
    :issue:11148.


v3.12.10

Compare Source

====================

Bug fixes

  • Fixed leak of aiodns.DNSResolver when :py:class:~aiohttp.TCPConnector is closed and no resolver was passed when creating the connector -- by :user:Tasssadar.

    This was a regression introduced in version 3.12.0 (:pr:10897).

    Related issues and pull requests on GitHub:
    :issue:11150.


v3.12.9

Compare Source

===================

Bug fixes

  • Fixed IOBasePayload and TextIOPayload reading entire files into memory when streaming large files -- by :user:bdraco.

    When using file-like objects with the aiohttp client, the entire file would be read into memory if the file size was provided in the Content-Length header. This could cause out-of-memory errors when uploading large files. The payload classes now correctly read data in chunks of READ_SIZE (64KB) regardless of the total content length.

    Related issues and pull requests on GitHub:
    :issue:11138.


v3.12.8

Compare Source

===================

Features

  • Added preemptive digest authentication to :class:~aiohttp.DigestAuthMiddleware -- by :user:bdraco.

    The middleware now reuses authentication credentials for subsequent requests to the same
    protection space, improving efficiency by avoiding extra authentication round trips.
    This behavior matches how web browsers handle digest authentication and follows
    :rfc:7616#section-3.6.

    Preemptive authentication is enabled by default but can be disabled by passing
    preemptive=False to the middleware constructor.

    Related issues and pull requests on GitHub:
    :issue:11128, :issue:11129.


v3.12.7

Compare Source

===================

.. warning::

This release fixes an issue where the quote_cookie parameter was not being properly
respected for shared cookies (domain="", path=""). If your server does not handle quoted
cookies correctly, you may need to disable cookie quoting by setting quote_cookie=False
when creating your :class:~aiohttp.ClientSession or :class:~aiohttp.CookieJar.
See :ref:aiohttp-client-cookie-quoting-routine for details.

Bug fixes

  • Fixed cookie parsing to be more lenient when handling cookies with special characters
    in names or values. Cookies with characters like {, }, and / in names are now
    accepted instead of causing a :exc:~http.cookies.CookieError and 500 errors. Additionally,
    cookies with mismatched quotes in values are now parsed correctly, and quoted cookie
    values are now handled consistently whether or not they include special attributes
    like Domain. Also fixed :class:~aiohttp.CookieJar to ensure shared cookies (domain="", path="")
    respect the quote_cookie parameter, making cookie quoting behavior consistent for
    all cookies -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:2683, :issue:5397, :issue:7993, :issue:11112.

  • Fixed an issue where cookies with duplicate names but different domains or paths
    were lost when updating the cookie jar. The :class:~aiohttp.ClientSession
    cookie jar now correctly stores all cookies even if they have the same name but
    different domain or path, following the :rfc:6265#section-5.3 storage model -- by :user:bdraco.

    Note that :attr:ClientResponse.cookies <aiohttp.ClientResponse.cookies> returns
    a :class:~http.cookies.SimpleCookie which uses the cookie name as a key, so
    only the last cookie with each name is accessible via this interface. All cookies
    can be accessed via :meth:ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall> if needed.

    Related issues and pull requests on GitHub:
    :issue:4486, :issue:11105, :issue:11106.

Miscellaneous internal changes

  • Avoided creating closed futures in ResponseHandler that will never be awaited -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11107.

  • Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11114.


v3.12.6

Compare Source

===================

Bug fixes

  • Fixed spurious "Future exception was never retrieved" warnings for connection lost errors when the connector is not closed -- by :user:bdraco.

    When connections are lost, the exception is now marked as retrieved since it is always propagated through other means, preventing unnecessary warnings in logs.

    Related issues and pull requests on GitHub:
    :issue:11100.


v3.12.4

Compare Source

===================

Bug fixes

  • Fixed connector not waiting for connections to close before returning from :meth:~aiohttp.BaseConnector.close (partial backport of :pr:3733) -- by :user:atemate and :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:1925, :issue:11074.


v3.12.3

Compare Source

===================

Bug fixes

  • Fixed memory leak in :py:meth:~aiohttp.CookieJar.filter_cookies that caused unbounded memory growth
    when making requests to different URL paths -- by :user:bdraco and :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11052, :issue:11054.


v3.12.2

Compare Source

===================

Bug fixes

  • Fixed Content-Length header not being set to 0 for non-GET requests with None body -- by :user:bdraco.

    Non-GET requests (POST, PUT, PATCH, DELETE) with None as the body now correctly set the Content-Length header to 0, matching the behavior of requests with empty bytes (b""). This regression was introduced in aiohttp 3.12.1.

    Related issues and pull requests on GitHub:
    :issue:11035.


v3.12.1

Compare Source

====================

Bug fixes

  • Fixed :class:~aiohttp.DigestAuthMiddleware to preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expecting algorithm=MD5-sess instead of algorithm=MD5-SESS)
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11352.

Improved documentation

  • Remove outdated contents of aiohttp-devtools and aiohttp-swagger
    from Web_advanced docs.
    -- by

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner June 20, 2026 19:39
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jun 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants