Skip to content

chore(deps): update dependency aiohttp to v3.10.11 [security]#53

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/pypi-aiohttp-vulnerability
Open

chore(deps): update dependency aiohttp to v3.10.11 [security]#53
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/pypi-aiohttp-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 26, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
aiohttp ==3.8.5==3.10.11 age confidence

AIOHTTP has problems in HTTP parser (the python one, not llhttp)

CVE-2023-47627 / GHSA-gfw2-4jvh-wgfg

More information

Details

Summary

The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling.
This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel).

Details
Bug 1: Bad parsing of Content-Length values
Description

RFC 9110 says this:

Content-Length = 1*DIGIT

AIOHTTP does not enforce this rule, presumably because of an incorrect usage of the builtin int constructor. Because the int constructor accepts + and - prefixes, and digit-separating underscores, using int to parse CL values leads AIOHTTP to significant misinterpretation.

Examples
GET / HTTP/1.1\r\n
Content-Length: -0\r\n
\r\n
X

GET / HTTP/1.1\r\n
Content-Length: +0_1\r\n
\r\n
X
Suggested action

Verify that a Content-Length value consists only of ASCII digits before parsing, as the standard requires.

Bug 2: Improper handling of NUL, CR, and LF in header values
Description

RFC 9110 says this:

Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters; a recipient of CR, LF, or NUL within a field value MUST either reject the message or replace each of those characters with SP before further processing or forwarding of that message.

AIOHTTP's HTTP parser does not enforce this rule, and will happily process header values containing these three forbidden characters without replacing them with SP.

Examples
GET / HTTP/1.1\r\n
Header: v\x00alue\r\n
\r\n

GET / HTTP/1.1\r\n
Header: v\ralue\r\n
\r\n

GET / HTTP/1.1\r\n
Header: v\nalue\r\n
\r\n
Suggested action

Reject all messages with NUL, CR, or LF in a header value. The translation to space thing, while technically allowed, does not seem like a good idea to me.

Bug 3: Improper stripping of whitespace before colon in HTTP headers
Description

RFC 9112 says this:

No whitespace is allowed between the field name and colon. In the past, differences in the handling of such whitespace have led to security vulnerabilities in request routing and response handling. A server MUST reject, with a response status code of 400 (Bad Request), any received request message that contains whitespace between a header field name and colon.

AIOHTTP does not enforce this rule, and will simply strip any whitespace before the colon in an HTTP header.

Example
GET / HTTP/1.1\r\n
Content-Length : 1\r\n
\r\n
X
Suggested action

Reject all messages with whitespace before a colon in a header field, as the standard requires.

PoC

Example requests are embedded in the previous section. To reproduce these bugs, start an AIOHTTP server without llhttp (i.e. AIOHTTP_NO_EXTENSIONS=1) and send the requests given in the previous section. (e.g. by printfing into nc)

Impact

Each of these bugs can be used for request smuggling.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp has vulnerable dependency that is vulnerable to request smuggling

GHSA-pjjw-qhg8-p2p9

More information

Details

Summary

llhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities.
Details have not been disclosed yet, so refer to llhttp for future information.
The issue is resolved by using llhttp 9+ (which is included in aiohttp 3.8.6+).

Severity

Medium

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp's ClientSession is vulnerable to CRLF injection via method

CVE-2023-49082 / GHSA-qvrw-v9rv-5rjx

More information

Details

Summary

Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.

Details

The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.

Previous releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.

PoC

A minimal example can be found here:
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b

Impact

If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).

Workaround

If unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).

Patch: https://github.com/aio-libs/aiohttp/pull/7806/files

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp's ClientSession is vulnerable to CRLF injection via version

CVE-2023-49081 / GHSA-q3qx-c6g2-7pw2

More information

Details

Summary

Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version.

Details

The vulnerability only occurs if the attacker can control the HTTP version of the request (including its type).
For example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the version parameter.
Furthermore, the vulnerability only occurs when the Connection header is passed to the headers parameter.

At this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection.

PoC

The POC below shows an example of providing an unvalidated array as a version:
https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e

Impact

CRLF injection leading to Request Smuggling.

Workaround

If these specific conditions are met and you are unable to upgrade, then validate the user input to the version parameter to ensure it is a str.

Patch: https://github.com/aio-libs/aiohttp/pull/7835/files

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators

CVE-2024-23829 / GHSA-8qpw-xqxj-h4r2

More information

Details

Summary

Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.

Details

These problems are rooted in pattern matching protocol elements, previously improved by PR #​3235 and GHSA-gfw2-4jvh-wgfg:

  1. The expression HTTP/(\d).(\d) lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result: HTTP/(\d)\.(\d)).

  2. The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.

  3. Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 token.

PoC

GET / HTTP/1ö1
GET / HTTP/1.𝟙
GET/: HTTP/1.1
Content-Encoding?: chunked

Impact

Primarily concerns running an aiohttp server without llhttp:

  1. behind a proxy: Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling.
  2. directly accessible or exposed behind proxies relaying malformed input: the unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities.

Patch: https://github.com/aio-libs/aiohttp/pull/8074/files

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp is vulnerable to directory traversal

CVE-2024-23334 / GHSA-5h86-8mv2-jq9f

More information

Details

Summary

Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.

Details

When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.

i.e. An application is only vulnerable with setup code like:

app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to avoid the vulnerability
])
Impact

This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with follow_symlinks set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of the follow_symlinks parameter.

Workaround

Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.

If using follow_symlinks=True outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.

Additionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.

Patch: https://github.com/aio-libs/aiohttp/pull/8079/files

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp Cross-site Scripting vulnerability on index pages for static file handling

CVE-2024-27306 / GHSA-7gpw-8wmc-pm8g

More information

Details

Summary

A XSS vulnerability exists on index pages for static file handling.

Details

When using web.static(..., show_index=True), the resulting index pages do not escape file names.

If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.

Workaround

We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.

Other users can disable show_index if unable to upgrade.

Patch: https://github.com/aio-libs/aiohttp/pull/8319/files

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests

CVE-2024-30251 / GHSA-5m98-qgg9-wh84

More information

Details

Summary

An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.

Impact

An attacker can stop the application from serving requests after sending a single request.

For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in _read_chunk_from_length()):

diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
index 227be605c..71fc2654a 100644
--- a/aiohttp/multipart.py
+++ b/aiohttp/multipart.py
@​@​ -338,6 +338,8 @​@​ class BodyPartReader:
         assert self._length is not None, "Content-Length required for chunked read"
         chunk_size = min(size, self._length - self._read_bytes)
         chunk = await self._content.read(chunk_size)
+        if self._content.at_eof():
+            self._at_eof = True
         return chunk
 
     async def _read_chunk_from_stream(self, size: int) -> bytes:

This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:
aio-libs/aiohttp@cebe526
aio-libs/aiohttp@7eecdff
aio-libs/aiohttp@f21c6f2

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

aiohttp allows request smuggling due to incorrect parsing of chunk extensions

CVE-2024-52304 / GHSA-8495-4g3g-x7pr

More information

Details

Summary

The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: aio-libs/aiohttp@259edc3

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

aio-libs/aiohttp (aiohttp)

v3.10.11

Compare Source

====================

Bug fixes

  • Authentication provided by a redirect now takes precedence over provided auth when making requests with the client -- by :user:PLPeeters.

    Related issues and pull requests on GitHub:
    :issue:9436.

  • Fixed :py:meth:WebSocketResponse.close() <aiohttp.web.WebSocketResponse.close> to discard non-close messages within its timeout window after sending close -- by :user:lenard-mosys.

    Related issues and pull requests on GitHub:
    :issue:9506.

  • Fixed a deadlock that could occur while attempting to get a new connection slot after a timeout -- by :user:bdraco.

    The connector was not cancellation-safe.

    Related issues and pull requests on GitHub:
    :issue:9670, :issue:9671.

  • Fixed the WebSocket flow control calculation undercounting with multi-byte data -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9686.

  • Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9851.

  • Fixed system routes polluting the middleware cache -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9852.

Removals and backward incompatible breaking changes

  • Improved performance of the connector when a connection can be reused -- by :user:bdraco.

    If BaseConnector.connect has been subclassed and replaced with custom logic, the ceil_timeout must be added.

    Related issues and pull requests on GitHub:
    :issue:9600.

Miscellaneous internal changes

  • Improved performance of the client request lifecycle when there are no cookies -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9470.

  • Improved performance of sending client requests when the writer can finish synchronously -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9485.

  • Improved performance of serializing HTTP headers -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9603.

  • Passing enable_cleanup_closed to :py:class:aiohttp.TCPConnector is now ignored on Python 3.12.7+ and 3.13.1+ since the underlying bug that caused asyncio to leak SSL connections has been fixed upstream -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9726, :issue:9736.

v3.10.10

Compare Source

====================

Bug fixes

  • Fixed error messages from :py:class:~aiohttp.resolver.AsyncResolver being swallowed -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9451, :issue:9455.

Features

  • Added :exc:aiohttp.ClientConnectorDNSError for differentiating DNS resolution errors from other connector errors -- by :user:mstojcevich.

    Related issues and pull requests on GitHub:
    :issue:8455.

Miscellaneous internal changes

  • Simplified DNS resolution throttling code to reduce chance of race conditions -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9454.

v3.10.9

Compare Source

===================

Bug fixes

  • Fixed proxy headers being used in the ConnectionKey hash when a proxy was not being used -- by :user:bdraco.

    If default headers are used, they are also used for proxy headers. This could have led to creating connections that were not needed when one was already available.

    Related issues and pull requests on GitHub:
    :issue:9368.

  • Widened the type of the trace_request_ctx parameter of
    :meth:ClientSession.request() <aiohttp.ClientSession.request> and friends
    -- by :user:layday.

    Related issues and pull requests on GitHub:
    :issue:9397.

Removals and backward incompatible breaking changes

  • Fixed failure to try next host after single-host connection timeout -- by :user:brettdh.

    The default client :class:aiohttp.ClientTimeout params has changed to include a sock_connect timeout of 30 seconds so that this correct behavior happens by default.

    Related issues and pull requests on GitHub:
    :issue:7342.

Miscellaneous internal changes

  • Improved performance of resolving hosts with Python 3.12+ -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9342.

  • Reduced memory required for timer objects created during the client request lifecycle -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9406.

v3.10.8

Compare Source

===================

Bug fixes

  • Fixed cancellation leaking upwards on timeout -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9326.

v3.10.7

Compare Source

===================

Bug fixes

  • Fixed assembling the :class:~yarl.URL for web requests when the host contains a non-default port or IPv6 address -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9309.

Miscellaneous internal changes

  • Improved performance of determining if a URL is absolute -- by :user:bdraco.

    The property :attr:~yarl.URL.absolute is more performant than the method URL.is_absolute() and preferred when newer versions of yarl are used.

    Related issues and pull requests on GitHub:
    :issue:9171.

  • Replaced code that can now be handled by yarl -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9301.

v3.10.6

Compare Source

===================

Bug fixes

  • Added :exc:aiohttp.ClientConnectionResetError. Client code that previously threw :exc:ConnectionResetError
    will now throw this -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:9137.

  • Fixed an unclosed transport ResourceWarning on web handlers -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8875.

  • Fixed resolve_host() 'Task was destroyed but is pending' errors -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8967.

  • Fixed handling of some file-like objects (e.g. tarfile.extractfile()) which raise AttributeError instead of OSError when fileno fails for streaming payload data -- by :user:ReallyReivax.

    Related issues and pull requests on GitHub:
    :issue:6732.

  • Fixed web router not matching pre-encoded URLs (requires yarl 1.9.6+) -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8898, :issue:9267.

  • Fixed an error when trying to add a route for multiple methods with a path containing a regex pattern -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8998.

  • Fixed Response.text when body is a Payload -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:6485.

  • Fixed compressed requests failing when no body was provided -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:9108.

  • Fixed client incorrectly reusing a connection when the previous message had not been fully sent -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8992.

  • Fixed race condition that could cause server to close connection incorrectly at keepalive timeout -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:9140.

  • Fixed Python parser chunked handling with multiple Transfer-Encoding values -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8823.

  • Fixed error handling after 100-continue so server sends 500 response instead of disconnecting -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8876.

  • Stopped adding a default Content-Type header when response has no content -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8858.

  • Added support for URL credentials with empty (zero-length) username, e.g. https://:password@host -- by :user:shuckc

    Related issues and pull requests on GitHub:
    :issue:6494.

  • Stopped logging exceptions from web.run_app() that would be raised regardless -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:6807.

  • Implemented binding to IPv6 addresses in the pytest server fixture.

    Related issues and pull requests on GitHub:
    :issue:4650.

  • Fixed the incorrect use of flags for getnameinfo() in the Resolver --by :user:GitNMLee

    Link-Local IPv6 addresses can now be handled by the Resolver correctly.

    Related issues and pull requests on GitHub:
    :issue:9032.

  • Fixed StreamResponse.prepared to return True after EOF is sent -- by :user:arthurdarcet.

    Related issues and pull requests on GitHub:
    :issue:5343.

  • Changed make_mocked_request() to use empty payload by default -- by :user:rahulnht.

    Related issues and pull requests on GitHub:
    :issue:7167.

  • Used more precise type for ClientResponseError.headers, fixing some type errors when using them -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8768.

  • Changed behavior when returning an invalid response to send a 500 response -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8845.

  • Fixed response reading from closed session to throw an error immediately instead of timing out -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8878.

  • Fixed CancelledError from one cleanup context stopping other contexts from completing -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8908.

  • Fixed changing scheme/host in Response.clone() for absolute URLs -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8990.

  • Fixed Site.name when host is an empty string -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8929.

  • Updated Python parser to reject messages after a close message, matching C parser behaviour -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:9018.

  • Fixed creation of SSLContext inside of :py:class:aiohttp.TCPConnector with multiple event loops in different threads -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9029.

  • Fixed (on Python 3.11+) some edge cases where a task cancellation may get incorrectly suppressed -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:9030.

  • Fixed exception information getting lost on HttpProcessingError -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:9052.

  • Fixed If-None-Match not using weak comparison -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:9063.

  • Fixed badly encoded charset crashing when getting response text instead of falling back to charset detector.

    Related issues and pull requests on GitHub:
    :issue:9160.

  • Rejected \n in reason values to avoid sending broken HTTP messages -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:9167.

  • Changed :py:meth:ClientResponse.raise_for_status() <aiohttp.ClientResponse.raise_for_status> to only release the connection when invoked outside an async with context -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:9239.

Features

  • Improved type on params to match the underlying type allowed by yarl -- by :user:lpetre.

    Related issues and pull requests on GitHub:
    :issue:8564.

  • Declared Python 3.13 supported -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8748.

Removals and backward incompatible breaking changes

  • Improved middleware performance -- by :user:bdraco.

    The set_current_app method was removed from UrlMappingMatchInfo because it is no longer used, and it was unlikely external caller would ever use it.

    Related issues and pull requests on GitHub:
    :issue:9200.

  • Increased minimum yarl version to 1.12.0 -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9267.

Improved documentation

  • Clarified that GracefulExit needs to be handled in AppRunner and ServerRunner when using handle_signals=True. -- by :user:Daste745

    Related issues and pull requests on GitHub:
    :issue:4414.

  • Clarified that auth parameter in ClientSession will persist and be included with any request to any origin, even during redirects to different origins. -- by :user:MaximZemskov.

    Related issues and pull requests on GitHub:
    :issue:6764.

  • Clarified which timeout exceptions happen on which timeouts -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8968.

  • Updated ClientSession parameters to match current code -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8991.

Packaging updates and notes for downstreams

  • Fixed test_client_session_timeout_zero to not require internet access -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:9004.

Miscellaneous internal changes

  • Improved performance of making requests when there are no auto headers to skip -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8847.

  • Exported aiohttp.TraceRequestHeadersSentParams -- by :user:Hadock-is-ok.

    Related issues and pull requests on GitHub:
    :issue:8947.

  • Avoided tracing overhead in the http writer when there are no active traces -- by user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9031.

  • Improved performance of reify Cython implementation -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9054.

  • Use :meth:URL.extend_query() <yarl.URL.extend_query> to extend query params (requires yarl 1.11.0+) -- by :user:bdraco.

    If yarl is older than 1.11.0, the previous slower hand rolled version will be used.

    Related issues and pull requests on GitHub:
    :issue:9068.

  • Improved performance of checking if a host is an IP Address -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9095.

  • Significantly improved performance of middlewares -- by :user:bdraco.

    The construction of the middleware wrappers is now cached and is built once per handler instead of on every request.

    Related issues and pull requests on GitHub:
    :issue:9158, :issue:9170.

  • Improved performance of web requests -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9168, :issue:9169, :issue:9172, :issue:9174, :issue:9175, :issue:9241.

  • Improved performance of starting web requests when there is no response prepare hook -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9173.

  • Significantly improved performance of expiring cookies -- by :user:bdraco.

    Expiring cookies has been redesigned to use :mod:heapq instead of a linear search, to better scale.

    Related issues and pull requests on GitHub:
    :issue:9203.

  • Significantly sped up filtering cookies -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9204.

v3.10.5

Compare Source

=========================

Bug fixes

  • Fixed :meth:aiohttp.ClientResponse.json() not setting status when :exc:aiohttp.ContentTypeError is raised -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8742.

Miscellaneous internal changes

  • Improved performance of the WebSocket reader -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8736, :issue:8747.

v3.10.4

Compare Source

===================

Bug fixes

  • Fixed decoding base64 chunk in BodyPartReader -- by :user:hyzyla.

    Related issues and pull requests on GitHub:
    :issue:3867.

  • Fixed a race closing the server-side WebSocket where the close code would not reach the client -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8680.

  • Fixed unconsumed exceptions raised by the WebSocket heartbeat -- by :user:bdraco.

    If the heartbeat ping raised an exception, it would not be consumed and would be logged as an warning.

    Related issues and pull requests on GitHub:
    :issue:8685.

  • Fixed an edge case in the Python parser when chunk separators happen to align with network chunks -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8720.

Improved documentation

  • Added aiohttp-apischema to supported libraries -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8700.

Miscellaneous internal changes

  • Improved performance of starting request handlers with Python 3.12+ -- by :user:bdraco.

    This change is a followup to :issue:8661 to make the same optimization for Python 3.12+ where the request is connected.

    Related issues and pull requests on GitHub:
    :issue:8681.

v3.10.3

Compare Source

========================

Bug fixes

  • Fixed multipart reading when stream buffer splits the boundary over several read() calls -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8653.

  • Fixed :py:class:aiohttp.TCPConnector doing blocking I/O in the event loop to create the SSLContext -- by :user:bdraco.

    The blocking I/O would only happen once per verify mode. However, it could cause the event loop to block for a long time if the SSLContext creation is slow, which is more likely during startup when the disk cache is not yet present.

    Related issues and pull requests on GitHub:
    :issue:8672.

Miscellaneous internal changes

  • Improved performance of :py:meth:~aiohttp.ClientWebSocketResponse.receive and :py:meth:~aiohttp.web.WebSocketResponse.receive when there is no timeout. -- by :user:bdraco.

    The timeout context manager is now avoided when there is no timeout as it accounted for up to 50% of the time spent in the :py:meth:~aiohttp.ClientWebSocketResponse.receive and :py:meth:~aiohttp.web.WebSocketResponse.receive methods.

    Related issues and pull requests on GitHub:
    :issue:8660.

  • Improved performance of starting request handlers with Python 3.12+ -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8661.

  • Improved performance of HTTP keep-alive checks -- by :user:bdraco.

    Previously, when processing a request for a keep-alive connection, the keep-alive check would happen every second; the check is now rescheduled if it fires too early instead.

    Related issues and pull requests on GitHub:
    :issue:8662.

  • Improved performance of generating random WebSocket mask -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8667.

v3.10.2

Compare Source

===================

Bug fixes

  • Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:steverep.

    Related issues and pull requests on GitHub:
    :issue:8565.

  • Fixed request body not being read when ignoring an Upgrade request -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8597.

  • Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8611.

  • Fixed connecting to npipe://, tcp://, and unix:// urls -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8632.

  • Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:bdraco.

    There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.

    Related issues and pull requests on GitHub:
    :issue:8641.

  • Fixed incorrectly following symlinks for compressed file variants -- by :user:steverep.

    Related issues and pull requests on GitHub:
    :issue:8652.

Removals and backward incompatible breaking changes

  • Removed Request.wait_for_disconnection(), which was mistakenly added briefly in 3.10.0 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8636.

Contributor-facing changes

  • Fixed monkey patches for Path.stat() and Path.is_dir() for Python 3.13 compatibility -- by :user:steverep.

    Related issues and pull requests on GitHub:
    :issue:8551.

Miscellaneous internal changes

  • Improved WebSocket performance when messages are sent or received frequently -- by :user:bdraco.

    The WebSocket heartbeat scheduling algorithm was improved to reduce the asyncio scheduling overhead by decreasing the number of asyncio.TimerHandle creations and cancellations.

    Related issues and pull requests on GitHub:
    :issue:8608.

  • Minor improvements to various type annotations -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8634.

v3.10.1

Compare Source

====================

Bug fixes

  • Authentication provided by a redirect now takes precedence over provided auth when making requests with the client -- by :user:PLPeeters.

    Related issues and pull requests on GitHub:
    :issue:9436.

  • Fixed :py:meth:WebSocketResponse.close() <aiohttp.web.WebSocketResponse.close> to discard non-close messages within its timeout window after sending close -- by :user:lenard-mosys.

    Related issues and pull requests on GitHub:
    :issue:9506.

  • Fixed a deadlock that could occur while attempting to get a new connection slot after a timeout -- by :user:bdraco.

    The connector was not cancellation-safe.

    Related issues and pull requests on GitHub:
    :issue:9670, :issue:9671.

  • Fixed the WebSocket flow control calculation undercounting with multi-byte data -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9686.

  • Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9851.

  • Fixed system routes polluting the middleware cache -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9852.

Removals and backward incompatible breaking changes

  • Improved performance of the connector when a connection can be reused -- by :user:bdraco.

    If BaseConnector.connect has been subclassed and replaced with custom logic, the ceil_timeout must be added.

    Related issues and pull requests on GitHub:
    :issue:9600.

Miscellaneous internal changes

  • Improved performance of the client request lifecycle when there are no cookies -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9470.

  • Improved performance of sending client requests when the writer can finish synchronously -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9485.

  • Improved performance of serializing HTTP headers -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9603.

  • Passing enable_cleanup_closed to :py:class:aiohttp.TCPConnector is n

Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title chore(deps): update dependency aiohttp to v3.10.11 [security] chore(deps): update dependency aiohttp to v3.10.11 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/pypi-aiohttp-vulnerability branch March 27, 2026 00:43
@renovate renovate Bot changed the title chore(deps): update dependency aiohttp to v3.10.11 [security] - autoclosed chore(deps): update dependency aiohttp to v3.10.11 [security] Apr 2, 2026
@renovate renovate Bot reopened this Apr 2, 2026
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 2 times, most recently from 485b9eb to 1c45517 Compare April 2, 2026 09:15
@renovate renovate Bot changed the title chore(deps): update dependency aiohttp to v3.10.11 [security] chore(deps): update dependency aiohttp to v3.10.11 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency aiohttp to v3.10.11 [security] - autoclosed chore(deps): update dependency aiohttp to v3.10.11 [security] Apr 29, 2026
@renovate renovate Bot reopened this Apr 29, 2026
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 2 times, most recently from 1c45517 to f04f425 Compare April 29, 2026 11:14
@renovate renovate Bot changed the title chore(deps): update dependency aiohttp to v3.10.11 [security] chore(deps): update dependency aiohttp to v3.10.11 [security] - autoclosed May 6, 2026
@renovate renovate Bot closed this May 6, 2026
@renovate renovate Bot changed the title chore(deps): update dependency aiohttp to v3.10.11 [security] - autoclosed chore(deps): update dependency aiohttp to v3.10.11 [security] May 12, 2026
@renovate renovate Bot reopened this May 12, 2026
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 2 times, most recently from f04f425 to b45d7a7 Compare May 12, 2026 15:38
@renovate renovate Bot changed the title chore(deps): update dependency aiohttp to v3.10.11 [security] chore(deps): update dependency aiohttp to v3.10.11 [security] - autoclosed May 12, 2026
@renovate renovate Bot closed this May 12, 2026
@renovate renovate Bot changed the title chore(deps): update dependency aiohttp to v3.10.11 [security] - autoclosed chore(deps): update dependency aiohttp to v3.10.11 [security] May 14, 2026
@renovate renovate Bot reopened this May 14, 2026
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 2 times, most recently from b45d7a7 to 98bb855 Compare May 14, 2026 18:01
@renovate renovate Bot changed the title chore(deps): update dependency aiohttp to v3.10.11 [security] chore(deps): update dependency aiohttp to v3.10.11 [security] - autoclosed May 22, 2026
@renovate renovate Bot closed this May 22, 2026
@renovate renovate Bot changed the title chore(deps): update dependency aiohttp to v3.10.11 [security] - autoclosed chore(deps): update dependency aiohttp to v3.10.11 [security] May 28, 2026
@renovate renovate Bot reopened this May 28, 2026
@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 98bb855 to 487d84f Compare May 28, 2026 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants