Commit 4447e3e
chore(deps): update dependency aiohttp to v3.14.1 [security] (#418)
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| [aiohttp](https://redirect.github.com/aio-libs/aiohttp) | `3.14.0` ->
`3.14.1` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[CVE-2026-54278](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-g3cq-j2xw-wf74)
### Summary
During cleanup it is possible for a compressed request body to be
decompressed into memory in one chunk.
### Impact
An attacker may be able to send a compressed payload in specific
situations that could be decompressed into memory, potentially leading
to DoS (a zip bomb edge case).
### Workaround
Disable compression if unable to upgrade.
-----
Patch:
aio-libs/aiohttp@4f7480e
####
[CVE-2026-54279](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-2fqr-mr3j-6wp8)
### Summary
Host-only cookies that are saved with ``CookieJar.save()`` and then
restored later with ``CookieJar.load()`` lose their host-only status.
### Impact
Host-only cookies that have been loaded from disk may get sent to
subdomains that previously should have been disallowed.
-----
Patch:
aio-libs/aiohttp@a329a7a
####
[CVE-2026-54280](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-9x8q-7h8h-wcw9)
### Summary
Payload resources are not closed correctly when a client disconnects in
the middle of a write.
### Impact
If a payload is using an open file or similar limited resource, then an
attacker may be able to cause resource starvation temporarily until
garbage collection or similar closes the file.
-----
Patch:
aio-libs/aiohttp@a762eda
####
[CVE-2026-54276](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-hpj7-wq8m-9hgp)
### Summary
``DigestAuthMiddleware`` can send an authentication response after
following a cross-origin redirect.
### Impact
If the client follows a redirect (the default option) to an attacker
controlled domain, the attacker may be able to extract the auth digest.
This likely requires an open redirect vulnerability or similar on the
target domain for an attacker to be able to execute. Further, the
attacker is only receiving the digest, so should only be able to extract
the user's credentials if the cryptography is weak or there is some kind
of password reuse.
### Workaround
Disable ``follow_redirects`` if this is a concern.
-----
Patch:
aio-libs/aiohttp@38d1606
####
[CVE-2026-54274](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-xcgm-r5h9-7989)
### Summary
If an attacker sends large incomplete websocket frame payloads, it may
be possible to bypass the usual size limits on memory use.
### Impact
If a web application has WebSocket endpoints, it may be possible for an
attacker to execute a DoS attack through excessive memory use.
-----
Patch:
aio-libs/aiohttp@14b6ee8
####
[CVE-2026-54275](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-4m7w-qmgq-4wj5)
### Summary
The `server_hostname` TLS SNI check can be bypassed when an existing
connection is reused.
### Impact
If an application makes multiple requests to the same domain, but with
different per-request `server_hostname` parameters, then the later calls
may succeed by reusing the existing connection when they should have
been rejected due to the TLS SNI check.
### Workaround
Disable keep_alive if you need to change the `server_hostname` check
between requests.
-----
Patch:
aio-libs/aiohttp@0ca2b6c
####
[CVE-2026-54277](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2)
### Summary
It is possible to bypass the max_line_size check in parts of an HTTP
request in the C parser.
### Impact
If using the optimised C parser (the default in pre-built wheels), then
an attacker may be able to send oversized lines through the HTTP parser
and use an excessive amount of memory, potentially leading to DoS.
-----
Patch:
aio-libs/aiohttp@5ab61bb
####
[CVE-2026-54273](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-4fvr-rgm6-gqmc)
### Summary
No limit was present on the number of pipelined requests that could be
queued.
### Impact
An attacker may be able to use pipelined requests to use excessive
amounts of memory, potentially leading to DoS.
-----
Patch:
aio-libs/aiohttp@dfdfa9d
---
### Release Notes
<details>
<summary>aio-libs/aiohttp (aiohttp)</summary>
###
[`v3.14.1`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3141-2026-06-07)
[Compare
Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.14.0...v3.14.1)
\===================
## Bug fixes
- Fixed a race condition in :py:class:`~aiohttp.TCPConnector` where
closing the connector while a DNS resolution was in-flight could raise
:py:exc:`AttributeError` instead of
:py:exc:`~aiohttp.ClientConnectionError` -- by
:user:`goingforstudying-ctrl`.
*Related issues and pull requests on GitHub:*
:issue:`12497`.
- Fixed `CancelledError` not closing a connection -- by
:user:`aiolibsbot`.
*Related issues and pull requests on GitHub:*
:issue:`12795`.
- Tightened up some websocket parser checks -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`12817`.
- Fixed :class:`~aiohttp.CookieJar` dropping the host-only flag of
cookies when persisted with :meth:`~aiohttp.CookieJar.save` and reloaded
with :meth:`~aiohttp.CookieJar.load`, so a cookie set without a `Domain`
attribute is again scoped to the exact host that set it after a reload;
the absolute expiration deadline is now persisted as well, so a reloaded
cookie keeps its original lifetime instead of being rescheduled from the
load time. :meth:`~aiohttp.CookieJar.load` now replaces the jar contents
rather than merging onto prior state, and loaded cookies pass through
the same acceptance rules as :meth:`~aiohttp.CookieJar.update_cookies`,
so a cookie for an IP-address host is dropped when loaded into a jar
created without `unsafe=True` -- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
:issue:`12824`.
- Scoped :class:`~aiohttp.DigestAuthMiddleware` credentials to the
origin of the first request it handles, so a redirect to a different
origin no longer triggers a digest response computed from the configured
credentials; a challenge from another origin is only answered when that
origin falls within a protection space advertised by the anchor origin
through the RFC 7616 `domain` directive -- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
:issue:`12825`.
- Fixed the C HTTP parser not enforcing `max_line_size` on a request
target or response reason phrase that is split across multiple reads;
each fragment was checked on its own, so an accumulated line could
exceed the limit without raising `LineTooLong`. The accumulated length
is now checked, matching the pure-Python parser -- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
:issue:`12826`.
- Changed :class:`~aiohttp.TCPConnector` to reject legacy non-canonical
numeric IPv4 host forms such as `2130706433`, `017700000001` and `127.1`
with :exc:`~aiohttp.InvalidUrlClientError`; only canonical dotted-quad
IPv4 literals are now treated as IP address literals, while every other
host is sent through the configured resolver -- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
:issue:`12827`.
- Fixed :meth:`~aiohttp.StreamReader.readany` and
:meth:`~aiohttp.StreamReader.read_nowait` joining data fed back into the
buffer during the call (when draining below the low water mark resumes
reading) into a single unbounded :class:`bytes`; a call now returns only
the chunks that were buffered when it started, keeping the drain of an
unread auto-decompressed request body bounded by the read buffer -- by
:user:`bdraco`.
*Related issues and pull requests on GitHub:*
:issue:`12828`.
- Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests
buffered per connection on the server; once the queue reaches an
internal limit the parser stops emitting and the transport is paused,
resuming as the request handler drains the queue, so a client keeping
one handler busy can no longer accumulate an unbounded backlog of
pipelined requests -- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
:issue:`12830`.
- Fixed :meth:`aiohttp.web.Response.write_eof` skipping
`Payload.close()` when the body write was interrupted by an error or
cancellation, for example when a client disconnects mid-response; the
payload close hook now runs in a `finally` so a
:class:`~aiohttp.payload.Payload` body always releases its resources --
by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
:issue:`12831`.
- Fixed the pure-Python HTTP parser not enforcing `max_line_size` on a
chunk-size line when the whole line arrived in a single read; the limit
was only applied to chunk-size metadata split across reads. The
complete-line case is now checked too, matching the split-line behavior
-- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
:issue:`12832`.
- Included the per-request `server_hostname` override in the
:class:`~aiohttp.TCPConnector` connection pool key, so a pooled TLS
connection is no longer reused for a request that sets `server_hostname`
to a different value -- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
:issue:`12835`.
***
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone UTC, Automerge - At any
time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJweXRob24iLCJyZW5vdmF0ZSJdfQ==-->
Co-authored-by: Renovate Bot <renovate@whitesourcesoftware.com>1 parent ad67887 commit 4447e3e
1 file changed
Lines changed: 120 additions & 120 deletions
0 commit comments