Update dependency aiohttp to v3.13.3 [SECURITY] #59
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
00aa75c to
56d6b07
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
56d6b07 to
9a1c463
Compare
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
2 times, most recently
from
6f6e6b9 to
48936a8
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
48936a8 to
da412db
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
da412db to
3593f8a
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
2 times, most recently
from
c3fb934 to
be87a25
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
be87a25 to
00e8c62
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
2 times, most recently
from
6904f7c to
3b9312e
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
3b9312e to
274f9f3
Compare
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
274f9f3 to
2efde78
Compare
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
2efde78 to
6540731
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
6540731 to
486e226
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
486e226 to
77cd1cc
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
2 times, most recently
from
637281b to
774e9df
Compare
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
774e9df to
19ec253
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
19ec253 to
94831bc
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
94831bc to
d0f1142
Compare
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
d0f1142 to
23bfaf3
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
2 times, most recently
from
22fac12 to
3218432
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
3218432 to
86ae98a
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
2 times, most recently
from
119f6c8 to
ee9da9b
Compare
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
ee9da9b to
656df44
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.8.6→3.13.3==3.8.6→==3.13.3GitHub Vulnerability Alerts
CVE-2023-49082
Summary
Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.
Details
The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.
Previous releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.
PoC
A minimal example can be found here:
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
Impact
If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).
Workaround
If unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).
Patch: https://github.com/aio-libs/aiohttp/pull/7806/files
CVE-2023-49081
Summary
Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version.
Details
The vulnerability only occurs if the attacker can control the HTTP version of the request (including its type).
For example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the
versionparameter.Furthermore, the vulnerability only occurs when the
Connectionheader is passed to theheadersparameter.At this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection.
PoC
The POC below shows an example of providing an unvalidated array as a version:
https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e
Impact
CRLF injection leading to Request Smuggling.
Workaround
If these specific conditions are met and you are unable to upgrade, then validate the user input to the
versionparameter to ensure it is astr.Patch: https://github.com/aio-libs/aiohttp/pull/7835/files
CVE-2024-23829
Summary
Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.
Details
These problems are rooted in pattern matching protocol elements, previously improved by PR #3235 and GHSA-gfw2-4jvh-wgfg:
The expression
HTTP/(\d).(\d)lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result:HTTP/(\d)\.(\d)).The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.
Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110
token.PoC
GET / HTTP/1ö1GET / HTTP/1.𝟙GET/: HTTP/1.1Content-Encoding?: chunkedImpact
Primarily concerns running an aiohttp server without llhttp:
Patch: https://github.com/aio-libs/aiohttp/pull/8074/files
CVE-2024-23334
Summary
Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.
Details
When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.
i.e. An application is only vulnerable with setup code like:
Impact
This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with
follow_symlinksset to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of thefollow_symlinksparameter.Workaround
Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.
If using
follow_symlinks=Trueoutside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.Additionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.
Patch: https://github.com/aio-libs/aiohttp/pull/8079/files
CVE-2024-27306
Summary
A XSS vulnerability exists on index pages for static file handling.
Details
When using
web.static(..., show_index=True), the resulting index pages do not escape file names.If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.
Workaround
We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.
Other users can disable
show_indexif unable to upgrade.Patch: https://github.com/aio-libs/aiohttp/pull/8319/files
CVE-2024-30251
Summary
An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.
Impact
An attacker can stop the application from serving requests after sending a single request.
For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in
_read_chunk_from_length()):This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:
aio-libs/aiohttp@cebe526
aio-libs/aiohttp@7eecdff
aio-libs/aiohttp@f21c6f2
CVE-2024-52304
Summary
The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.
Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or
AIOHTTP_NO_EXTENSIONSis enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.Patch: aio-libs/aiohttp@259edc3
CVE-2025-53643
Summary
The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.
Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.
Patch: aio-libs/aiohttp@e8d774f
CVE-2025-69224
Summary
The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.
Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.
Patch: aio-libs/aiohttp@32677f2
CVE-2025-69223
Summary
A zip bomb can be used to execute a DoS against the aiohttp server.
Impact
An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.
Patch: aio-libs/aiohttp@2b920c3
CVE-2025-69225
Summary
The parser allows non-ASCII decimals to be present in the Range header.
Impact
There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.
Patch: aio-libs/aiohttp@c7b7a04
CVE-2025-69226
Summary
Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the
existence of absolute path components.
Impact
If an application uses
web.static()(not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.Patch: aio-libs/aiohttp@f2a86fd
CVE-2025-69227
Summary
When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.
Impact
If optimisations are enabled (
-OorPYTHONOPTIMIZE=1), and the application includes a handler that uses theRequest.post()method, then an attacker may be able to execute a DoS attack with a specially crafted message.Patch: aio-libs/aiohttp@bc1319e
CVE-2025-69228
Summary
A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.
Impact
If an application includes a handler that uses the
Request.post()method, an attacker may be able to freeze the server by exhausting the memory.Patch: aio-libs/aiohttp@b7dbd35
CVE-2025-69229
Summary
Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.
Impact
If an application makes use of the
request.read()method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.Patch: aio-libs/aiohttp@dc3170b
Patch: aio-libs/aiohttp@4ed97a4
CVE-2025-69230
Summary
Reading multiple invalid cookies can lead to a logging storm.
Impact
If the
cookiesattribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.Patch: aio-libs/aiohttp@64629a0
Release Notes
aio-libs/aiohttp (aiohttp)
v3.13.3Compare Source
===================
This release contains fixes for several vulnerabilities. It is advised to
upgrade as soon as possible.
Bug fixes
Fixed proxy authorization headers not being passed when reusing a connection, which caused 407 (Proxy authentication required) errors
-- by :user:
GLeurquin.Related issues and pull requests on GitHub:
:issue:
2596.Fixed multipart reading failing when encountering an empty body part -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
11857.Fixed a case where the parser wasn't raising an exception for a websocket continuation frame when there was no initial frame in context.
Related issues and pull requests on GitHub:
:issue:
11862.Removals and backward incompatible breaking changes
Brotliandbrotlicffiminimum version is now 1.2.Decompression now has a default maximum output size of 32MiB per decompress call -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
11898.Packaging updates and notes for downstreams
Moved dependency metadata from :file:
setup.cfgto :file:pyproject.tomlper :pep:621-- by :user:
cdce8p.Related issues and pull requests on GitHub:
:issue:
11643.Contributor-facing changes
Removed unused
update-pre-commitgithub action workflow -- by :user:Cycloctane.Related issues and pull requests on GitHub:
:issue:
11689.Miscellaneous internal changes
Optimized web server performance when access logging is disabled by reducing time syscalls -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10713.Added regression test for cached logging status -- by :user:
meehand.Related issues and pull requests on GitHub:
:issue:
11778.v3.13.2: 3.13.2Compare Source
Bug fixes
Fixed cookie parser to continue parsing subsequent cookies when encountering a malformed cookie that fails regex validation, such as Google's
g_statecookie with unescaped quotes -- by :user:bdraco.Related issues and pull requests on GitHub:
#11632.
Fixed loading netrc credentials from the default :file:
~/.netrc(:file:~/_netrcon Windows) location when the :envvar:NETRCenvironment variable is not set -- by :user:bdraco.Related issues and pull requests on GitHub:
#11713, #11714.
Fixed WebSocket compressed sends to be cancellation safe. Tasks are now shielded during compression to prevent compressor state corruption. This ensures that the stateful compressor remains consistent even when send operations are cancelled -- by :user:
bdraco.Related issues and pull requests on GitHub:
#11725.
v3.13.1Compare Source
===================
Features
Make configuration options in
AppRunneralso available inrun_app()-- by :user:
Cycloctane.Related issues and pull requests on GitHub:
:issue:
11633.Bug fixes
Switched to
backports.zstdfor Python <3.14 and fixed zstd decompression for chunked zstd streams -- by :user:ZhaoMJ.Note: Users who installed
zstandardfor support on Python <3.14 will now need to installbackports.zstdinstead (installingaiohttp[speedups]will do this automatically).Related issues and pull requests on GitHub:
:issue:
11623.Updated
Content-Typeheader parsing to returnapplication/octet-streamwhen header contains invalid syntax.See :rfc:
9110#section-8.3-5.-- by :user:
sgaist.Related issues and pull requests on GitHub:
:issue:
10889.Fixed Python 3.14 support when built without
zstdsupport -- by :user:JacobHenner.Related issues and pull requests on GitHub:
:issue:
11603.Fixed blocking I/O in the event loop when using netrc authentication by moving netrc file lookup to an executor -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
11634.Fixed routing to a sub-application added via
.add_domain()not workingif the same path exists on the parent app. -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
11673.Packaging updates and notes for downstreams
Moved core packaging metadata from :file:
setup.cfgto :file:pyproject.tomlper :pep:621-- by :user:
cdce8p.Related issues and pull requests on GitHub:
:issue:
9951.v3.13.0Compare Source
===================
Features
Added support for Python 3.14.
Related issues and pull requests on GitHub:
:issue:
10851, :issue:10872.Added support for free-threading in Python 3.14+ -- by :user:
kumaraditya303.Related issues and pull requests on GitHub:
:issue:
11466, :issue:11464.Added support for Zstandard (aka Zstd) compression
-- by :user:
KGuillaume-chaps.Related issues and pull requests on GitHub:
:issue:
11161.Added
StreamReader.total_raw_bytesto check the number of bytes downloaded-- by :user:
robpats.Related issues and pull requests on GitHub:
:issue:
11483.Bug fixes
Fixed pytest plugin to not use deprecated :py:mod:
asynciopolicy APIs.Related issues and pull requests on GitHub:
:issue:
10851.Updated
Content-Dispositionheader parsing to handle trailing semicolons and empty parts-- by :user:
PLPeeters.Related issues and pull requests on GitHub:
:issue:
11243.Fixed saved
CookieJarfailing to be loaded if cookies havepartitionedflag whenhttp.cookiedoes not have partitioned cookies supports. -- by :user:Cycloctane.Related issues and pull requests on GitHub:
:issue:
11523.Improved documentation
Added
Wireupto third-party libraries -- by :user:maldoinc.Related issues and pull requests on GitHub:
:issue:
11233.Packaging updates and notes for downstreams
The
blockbustertest dependency is now optional; the corresponding test fixture is disabled when it is unavailable-- by :user:
musicinybrain.Related issues and pull requests on GitHub:
:issue:
11363.Added
riscv64build to releases -- by :user:eshattow.Related issues and pull requests on GitHub:
:issue:
11425.Contributor-facing changes
Fixed
test_send_compress_textfailing when alternative zlib implementationis used. (
zlib-ngin python 3.14 windows build) -- by :user:Cycloctane.Related issues and pull requests on GitHub:
:issue:
11546.v3.12.15Compare Source
====================
Bug fixes
Fixed :class:
~aiohttp.DigestAuthMiddlewareto preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expectingalgorithm=MD5-sessinstead ofalgorithm=MD5-SESS)-- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
11352.Improved documentation
Remove outdated contents of
aiohttp-devtoolsandaiohttp-swaggerfrom Web_advanced docs.
-- by :user:
CycloctaneRelated issues and pull requests on GitHub:
:issue:
11347.Packaging updates and notes for downstreams
Started including the
llhttp:file:LICENSEfile in wheels by addingvendor/llhttp/LICENSEtolicense-filesin :file:setup.cfg-- by :user:threexc.Related issues and pull requests on GitHub:
:issue:
11226.Contributor-facing changes
Updated a regex in
test_aiohttp_request_coroutinefor Python 3.14.Related issues and pull requests on GitHub:
:issue:
11271.v3.12.14Compare Source
====================
Bug fixes
Fixed file uploads failing with HTTP 422 errors when encountering 307/308 redirects, and 301/302 redirects for non-POST methods, by preserving the request body when appropriate per :rfc:
9110#section-15.4.3-3.1-- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
11270.Fixed :py:meth:
ClientSession.close() <aiohttp.ClientSession.close>hanging indefinitely when using HTTPS requests through HTTP proxies -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
11273.Bumped minimum version of aiosignal to 1.4+ to resolve typing issues -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
11280.Features
Added initial trailer parsing logic to Python HTTP parser -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
11269.Improved documentation
Clarified exceptions raised by
WebSocketResponse.send_frameet al.-- by :user:
DoctorJohn.Related issues and pull requests on GitHub:
:issue:
11234.v3.12.13Compare Source
====================
Bug fixes
Fixed auto-created :py:class:
~aiohttp.TCPConnectornot using the session's event loop when :py:class:~aiohttp.ClientSessionis created without an explicit connector -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
11147.v3.12.12Compare Source
====================
Bug fixes
Fixed cookie unquoting to properly handle octal escape sequences in cookie values (e.g.,
\012for newline) by vendoring the correct_unquoteimplementation from Python'shttp.cookiesmodule -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
11173.Fixed
Cookieheader parsing to treat attribute names as regular cookies per :rfc:6265#section-5.4-- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
11178.v3.12.11Compare Source
====================
Features
Improved SSL connection handling by changing the default
ssl_shutdown_timeoutfrom
0.1to0seconds. SSL connections now use Python's default gracefulshutdown during normal operation but are aborted immediately when the connector
is closed, providing optimal behavior for both cases. Also added support for
ssl_shutdown_timeout=0on all Python versions. Previously, this value wasrejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
Python < 3.11 now trigger a
RuntimeWarning-- by :user:bdraco.The
ssl_shutdown_timeoutparameter is now deprecated and will be removed inaiohttp 4.0 as there is no clear use case for changing the default.
Related issues and pull requests on GitHub:
:issue:
11148.Deprecations (removal in next major release)
Improved SSL connection handling by changing the default
ssl_shutdown_timeoutfrom
0.1to0seconds. SSL connections now use Python's default gracefulshutdown during normal operation but are aborted immediately when the connector
is closed, providing optimal behavior for both cases. Also added support for
ssl_shutdown_timeout=0on all Python versions. Previously, this value wasrejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
Python < 3.11 now trigger a
RuntimeWarning-- by :user:bdraco.The
ssl_shutdown_timeoutparameter is now deprecated and will be removed inaiohttp 4.0 as there is no clear use case for changing the default.
Related issues and pull requests on GitHub:
:issue:
11148.v3.12.10Compare Source
====================
Bug fixes
Fixed leak of
aiodns.DNSResolverwhen :py:class:~aiohttp.TCPConnectoris closed and no resolver was passed when creating the connector -- by :user:Tasssadar.This was a regression introduced in version 3.12.0 (:pr:
10897).Related issues and pull requests on GitHub:
:issue:
11150.v3.12.9Compare Source
===================
Bug fixes
Fixed
IOBasePayloadandTextIOPayloadreading entire files into memory when streaming large files -- by :user:bdraco.When using file-like objects with the aiohttp client, the entire file would be read into memory if the file size was provided in the
Content-Lengthheader. This could cause out-of-memory errors when uploading large files. The payload classes now correctly read data in chunks ofREAD_SIZE(64KB) regardless of the total content length.Related issues and pull requests on GitHub:
:issue:
11138.v3.12.8Compare Source
===================
Features
Added preemptive digest authentication to :class:
~aiohttp.DigestAuthMiddleware-- by :user:bdraco.The middleware now reuses authentication credentials for subsequent requests to the same
protection space, improving efficiency by avoiding extra authentication round trips.
This behavior matches how web browsers handle digest authentication and follows
:rfc:
7616#section-3.6.Preemptive authentication is enabled by default but can be disabled by passing
preemptive=Falseto the middleware constructor.Related issues and pull requests on GitHub:
:issue:
11128, :issue:11129.v3.12.7Compare Source
===================
.. warning::
This release fixes an issue where the
quote_cookieparameter was not being properlyrespected for shared cookies (domain="", path=""). If your server does not handle quoted
cookies correctly, you may need to disable cookie quoting by setting
quote_cookie=Falsewhen creating your :class:
~aiohttp.ClientSessionor :class:~aiohttp.CookieJar.See :ref:
aiohttp-client-cookie-quoting-routinefor details.Bug fixes
Fixed cookie parsing to be more lenient when handling cookies with special characters
in names or values. Cookies with characters like
{,}, and/in names are nowaccepted instead of causing a :exc:
~http.cookies.CookieErrorand 500 errors. Additionally,cookies with mismatched quotes in values are now parsed correctly, and quoted cookie
values are now handled consistently whether or not they include special attributes
like
Domain. Also fixed :class:~aiohttp.CookieJarto ensure shared cookies (domain="", path="")respect the
quote_cookieparameter, making cookie quoting behavior consistent forall cookies -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
2683, :issue:5397, :issue:7993, :issue:11112.Fixed an issue where cookies with duplicate names but different domains or paths
were lost when updating the cookie jar. The :class:
~aiohttp.ClientSessioncookie jar now correctly stores all cookies even if they have the same name but
different domain or path, following the :rfc:
6265#section-5.3storage model -- by :user:bdraco.Note that :attr:
ClientResponse.cookies <aiohttp.ClientResponse.cookies>returnsa :class:
~http.cookies.SimpleCookiewhich uses the cookie name as a key, soonly the last cookie with each name is accessible via this interface. All cookies
can be accessed via :meth:
ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall>if needed.Related issues and pull requests on GitHub:
:issue:
4486, :issue:11105, :issue:11106.Miscellaneous internal changes
Avoided creating closed futures in
ResponseHandlerthat will never be awaited -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
11107.Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
11114.v3.12.6Compare Source
===================
Bug fixes
Fixed spurious "Future exception was never retrieved" warnings for connection lost errors when the connector is not closed -- by :user:
bdraco.When connections are lost, the exception is now marked as retrieved since it is always propagated through other means, preventing unnecessary warnings in logs.
Related issues and pull requests on GitHub:
:issue:
11100.v3.12.4Compare Source
===================
Bug fixes
Fixed connector not waiting for connections to close before returning from :meth:
~aiohttp.BaseConnector.close(partial backport of :pr:3733) -- by :user:atemateand :user:bdraco.Related issues and pull requests on GitHub:
:issue:
1925, :issue:11074.v3.12.3Compare Source
===================
Bug fixes
Fixed memory leak in :py:meth:
~aiohttp.CookieJar.filter_cookiesthat caused unbounded memory growthwhen making requests to different URL paths -- by :user:
bdracoand :user:Cycloctane.Related issues and pull requests on GitHub:
:issue:
11052, :issue:11054.v3.12.2Compare Source
===================
Bug fixes
Fixed
Content-Lengthheader not being set to0for non-GET requests withNonebody -- by :user:bdraco.Non-GET requests (
POST,PUT,PATCH,DELETE) withNoneas the body now correctly set theContent-Lengthheader to0, matching the behavior of requests with empty bytes (b""). This regression was introduced in aiohttp 3.12.1.Related issues and pull requests on GitHub:
:issue:
11035.v3.12.1Compare Source
====================
Bug fixes
Fixed :class:
~aiohttp.DigestAuthMiddlewareto preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expectingalgorithm=MD5-sessinstead ofalgorithm=MD5-SESS)-- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
11352.Improved documentation
Remove outdated contents of
aiohttp-devtoolsandaiohttp-swaggerfrom Web_advanced docs.
-- by :user:
CycloctaneRelated issues and pull requests on GitHub:
:issue:
11347.Packaging updates and notes for downstreams
Started including the
llhttp:file:LICENSEfile in wheels by addingvendor/llhttp/LICENSEtolicense-filesin :file:setup.cfg-- by :user:threexc.Related issues and pull requests on GitHub:
:issue:
11226.Contributor-facing changes
Updated a regex in
test_aiohttp_request_coroutinefor Python 3.14.Related issues and pull requests on GitHub:
:issue:
11271.v3.12.0Compare Source
===================
Bug fixes
Fixed :py:attr:
~aiohttp.web.WebSocketResponse.preparedproperty to correctly reflect the prepared state, especially during timeout scenarios -- by :user:bdracoRelated issues and pull requests on GitHub:
:issue:
6009, :issue:10988.Response is now always True, instead of using MutableMapping behaviour (False when map is empty)
Related issues and pull requests on GitHub:
:issue:
10119.Fixed connection reuse for file-like data payloads by ensuring buffer
truncation respects content-length boundaries and preventing premature
connection closure race -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10325, :issue:10915, :issue:10941, :issue:10943.Fixed pytest plugin to not use deprecated :py:mod:
asynciopolicy APIs.Related issues and pull requests on GitHub:
:issue:
10851.Fixed :py:class:
~aiohttp.resolver.AsyncResolvernot using theloopargument in versions 3.x where it should still be supported -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
10951.Features
Added a comprehensive HTTP Digest Authentication client middleware (DigestAuthMiddleware)
that implements RFC 7616. The middleware supports all standard hash algorithms
(MD5, SHA, SHA-256, SHA-512) with session variants, handles both 'auth' and
'auth-int' quality of protection options, and automatically manages the
authentication flow by intercepting 401 responses and retrying with proper
credentials -- by :user:
feus4177, :user:TimMenninger, and :user:bdraco.Related issues and pull requests on GitHub:
:issue:
2213, :issue:10725.Added client middleware support -- by :user:
bdracoand :user:Dreamsorcerer.This change allows users to add middleware to the client session and requests, enabling features like
authentication, logging, and request/response modification without modifying the core
request logic. Additionally, the
sessionattribute was added toClientRequest,allowing middleware to access the session for making additional requests.
Related issues and pull requests on GitHub:
:issue:
9732, :issue:10902, :issue:10945, :issue:10952, :issue:10959, :issue:10968.Allow user setting zlib compression backend -- by :user:
TimMenningerThis change allows the user to call :func:
aiohttp.set_zlib_backend()with thezlib compression module of their choice. Default behavior continues to use
the builtin
zliblibrary.Related issues and pull requests on GitHub:
:issue:
9798.Added support for overriding the base URL with an absolute one in client sessions
-- by :user:
vivodi.Related issues and pull requests on GitHub:
:issue:
10074.Added
hostparameter toaiohttp_serverfixture -- by :user:christianwbrock.Related issues and pull requests on GitHub:
:issue:
10120.Detect blocking calls in coroutines using BlockBuster -- by :user:
cbornet.Related issues and pull requests on GitHub:
:issue:
10433.Added
socket_factoryto :py:class:aiohttp.TCPConnectorto allow specifying custom socket options-- by :user:
TimMenninger.Related issues and pull requests on GitHub:
:issue:
10474, :issue:10520, :issue:10961, :issue:10962.Started building armv7l manylinux wheels -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10797.Implemented shared DNS resolver management to fix excessive resolver object creation
when using multiple client sessions. The new
_DNSResolverManagersingleton ensuresonly one
DNSResolverobject is created for default configurations, significantlyreducing resource usage and improving performance for applications using multiple
client sessions simultaneously -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10847, :issue:10923, :issue:10946.Upgraded to LLHTTP 9.3.0 -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
10972.Optimized small HTTP requests/responses by coalescing headers and body into a single TCP packet -- by :user:
bdraco.This change enhances network efficiency by reducing the number of packets sent for small HTTP payloads, improving latency and reducing overhead. Most importantly, this fixes compatibility with memory-constrained IoT devices that can only perform a single read operation and expect HTTP requests in one packet. The optimization uses zero-copy
writelineswhen coalescing data and works with both regular and chunked transfer encoding.When
aiohttpuses client middleware to communicate with anaiohttpserver, connection reuse is more likely to occur since complete responses arrive in a single packet for small payloads.This aligns
aiohttpwith other popular HTTP clients that already coalesce small requests.Related issues and pull requests on GitHub:
:issue:
10991.Improved documentation
Improved documentation for middleware by adding warnings and examples about
request body stream consumption. The documentation now clearly explains that
request body streams can only be read once and provides best practices for
sharing parsed request data between middleware and handlers -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
2914.Packaging updates and notes for downstreams
Removed non SPDX-license description from
setup.cfg-- by :user:devanshu-ziphq.Related issues and pull requests on GitHub:
:issue:
10662.Added support for building against system
llhttplibrary -- by :user:mgorny.This change adds support for :envvar:
AIOHTTP_USE_SYSTEM_DEPSenvironment variable thatcan be used to build aiohttp against the system install of the
llhttplibrary ratherthan the vendored one.
Related issues and pull requests on GitHub:
:issue:
10759.aiodnsis now installed on Windows with speedups extra -- by :user:bdraco.As of
aiodns3.3.0,SelectorEventLoopis no longer required when usingpycares4.7.0 or later.Related issues and pull requests on GitHub:
:issue:
10823.Fixed compatibility issue with Cython 3.1.1 -- by :user:
bdracoRelated issues and pull requests on GitHub:
:issue:
10877.Contributor-facing changes
Sped up tests by disabling
blockbusterfixture fortest_static_file_hugeandtest_static_file_huge_canceltests -- by :user:dikos1337.Related issues and pull requests on GitHub:
:issue:
9705, :issue:10761.Updated tests to avoid using deprecated :py:mod:
asynciopolicy APIs andmake it compatible with Python 3.14.
Related issues and pull requests on GitHub:
:issue:
10851.Added Winloop to test suite to support in the future -- by :user:
Vizonex.Related issues and pull requests on GitHub:
:issue:
10922.Miscellaneous internal changes
Added support for the
partitionedattribute in theset_cookiemethod.Related issues and pull requests on GitHub:
:issue:
9870.Setting :attr:
aiohttp.web.StreamResponse.last_modifiedto an unsupported type will now raise :exc:TypeErrorinstead of silently failing -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
10146.v3.11.18Compare Source
====================
Bug fixes
Disabled TLS in TLS warning (when using HTTPS proxies) for uvloop and newer Python versions -- by :user:
lezgomatt.Related issues and pull requests on GitHub:
:issue:
7686.Fixed reading fragmented WebSocket messages when the payload was masked -- by :user:
bdraco.The problem first appeared in 3.11.17
Related issues and pull requests on GitHub:
:issue:
10764.v3.11.17Compare Source
====================
Miscellaneous internal changes
Optimized web server performance when access logging is disabled by reducing time syscalls -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10713.Improved web server performance when connection can be reused -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10714.Improved performance of the WebSocket reader -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10740.Improved performance of the WebSocket reader with large messages -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10744.v3.11.16Compare Source
====================
Bug fixes
Replaced deprecated
asyncio.iscoroutinefunctionwith its counterpart frominspect-- by :user:
layday.Related issues and pull requests on GitHub:
:issue:
10634.Fixed :class:
multidict.CIMultiDictbeing mutated when passed to :class:aiohttp.web.Response-- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
10672.v3.11.15Compare Source
====================
Bug fixes
Reverted explicitly closing sockets if an exception is raised during
create_connection-- by :user:bdraco.This change originally appeared in aiohttp 3.11.13
Related issues and pull requests on GitHub:
:issue:
10464, :issue:10617, :issue:10656.Miscellaneous internal changes
Improved performance of WebSocket buffer handling -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10601.Improved performance of serializing headers -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10625.v3.11.14Compare Source
====================
Bug fixes
Fixed an issue where dns queries were delayed indefinitely when an exception occurred in a
trace.send_dns_cache_miss-- by :user:
logioniz.Related issues and pull requests on GitHub:
:issue:
10529.Fixed DNS resolution on platforms that don't support
socket.AI_ADDRCONFIG-- by :user:maxbachmann.Related issues and pull requests on GitHub:
:issue:
10542.The connector now raises :exc:
aiohttp.ClientConnectionErrorinstead of :exc:OSErrorwhen failing to explicitly close the socket after :py:meth:asyncio.loop.create_connectionfails -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
10551.Break cyclic references at connection close when there was a traceback -- by :user:
bdraco.Special thanks to :user:
availovfor reporting the issue.Related issues and pull requests on GitHub:
:issue:
10556.Break cyclic references when there is an exception handling a request -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10569.Features
Improved logging on non-overlapping WebSocket client protocols to include the remote address -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10564.Miscellaneous internal changes
Improved performance of parsing content types by adding a cache in the same manner currently done with mime types -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10552.v3.11.13Compare Source
====================
Bug fixes
Reverted explicitly closing sockets if an exception is raised during
create_connection-- by :user:bdraco.This change originally appeared in aiohttp 3.11.13
Related issues and pull requests on GitHub:
:issue:
10464, :issue:10617, :issue:10656.Miscellaneous internal changes
Improved performance of WebSocket buffer handling -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10601.Improved performance of serializing headers -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10625.v3.11.12Compare Source
====================
Bug fixes
MultipartForm.decode()now follows RFC1341 7.2.1 with aCRLFafter the boundary-- by :user:
imnotjames.Related issues and pull requests on GitHub:
:issue:
10270.Restored the missing
total_bytesattribute toEmptyStreamReader-- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
10387.Features
Updated :py:func:
~aiohttp.requestto make it accept_RequestOptionskwargs.-- by :user:
Cycloctane.Related issues and pull requests on GitHub:
:issue:
10300.Improved logging of HTTP protocol errors to include the remote address -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10332.Improved documentation
Added
aiohttp-openmetricsto list of third-party libraries -- by :user:jelmer.Related issues and pull requests on GitHub:
:issue:
10304.Packaging updates and notes for downstreams
Added missing files to the source distribution to fix
Makefiletargets.Added a
cythonize-nodepstarget to run Cython without invoking pip to install dependencies.Related issues and pull requests on GitHub:
:issue:
10366.Started building armv7l musllinux wheels -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10404.Contributor-facing changes
The CI/CD workflow has been updated to use
upload-artifactv4 anddownload-artifactv4 GitHub Actions -- by :user:silamon.Related issues and pull requests on GitHub:
:issue:
10281.Miscellaneous internal changes
Restored support for zero copy writes when using Python 3.12 versions 3.12.9 and later or Python 3.13.2+ -- by :user:
bdraco.Zero copy writes were previously disabled due to :cve:
2024-12254which is resolved in these Python versions.Related issues and pull requests on GitHub:
:issue:
10137.v3.11.11Compare Source
====================
Bug fixes
Updated :py:meth:
~aiohttp.ClientSession.requestto reuse thequote_cookiesetting fromClientSession._cookie_jarwhen processing cookies parameter.-- by :user:
Cycloctane.Related issues and pull requests on GitHub:
:issue:
10093.Fixed type of
SSLContextfor some static type checkers (e.g. pyright).Related issues and pull requests on GitHub:
:issue:
10099.Updated :meth:
aiohttp.web.StreamResponse.writeannotation to also allow :class:bytearrayand :class:memoryviewas inputs -- by :user:cdce8p.Related issues and pull requests on GitHub:
:issue:
10154.Fixed a hang where a connection previously used for a streaming
download could be returned to the pool in a paused state.
-- by :user:
javitonino.Related issues and pull requests on GitHub:
:issue:
10169.Features
Enabled ALPN on default SSL contexts. This improves compatibility with some
proxies which don't work without this extension.
-- by :user:
Cycloctane.Related issues and pull requests on GitHub:
:issue:
10156.Miscellaneous internal changes
Fixed an infinite loop that can occur when using aiohttp in combination
with
async-solipsism_ -- by :user:bmerry... _async-solipsism: https://github.com/bmerry/async-solipsism
Related issues and pull requests on GitHub:
:issue:
10149.v3.11.10Compare Source
====================
Bug fixes
Fixed race condition in :class:
aiohttp.web.FileResponsethat could have resulted in an incorrect response if the file was replaced on the file system duringprepare-- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
10101, :issue:10113.Replaced deprecated call to :func:
mimetypes.guess_typewith :func:mimetypes.guess_file_typewhen using Python 3.13+ -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
10102.Disabled zero copy writes in the
StreamWriter-- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
10125.v3.11.9Compare Source
===================
Bug fixes
Fixed invalid method logging unexpected being logged at exception level on subsequent connections -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10055, :issue:10076.Miscellaneous internal changes
Improved performance of parsing headers when using the C parser -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10073.v3.11.8Compare Source
===================
Miscellaneous internal changes
Improved performance of creating :class:
aiohttp.ClientResponseobjects when there are no cookies -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
10029.Improved performance of creating :class:
aiohttp.ClientResponseobjects -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
10030.Improved performances of creating objects during the HTTP request lifecycle -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10037.Improved performance of constructing :class:
aiohttp.web.Responsewith headers -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
10043.Improved performance of making requests when there are no auto headers to skip -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
10049.Downgraded logging of invalid HTTP method exceptions on the first request to debug level -- by :user:
bdraco.HTTP requests starting with an invalid method are relatively common, especially when connected to the public internet, because browsers or other clients may try to speak SSL to a plain-text server or vice-versa. These exceptions can quickly fill the log with noise when nothing is wrong.
Related issues and pull requests on GitHub:
:issue:
10055.v3.11.7Compare Source
===================
Bug fixes
Fixed the HTTP client not considering the connector's
force_closevalue when setting theConnectionheader -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
10003.Miscellaneous internal changes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.