Skip to content

Commit 4447e3e

Browse files
a-klosrenovate-bot
andauthored
chore(deps): update dependency aiohttp to v3.14.1 [security] (#418)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [aiohttp](https://redirect.github.com/aio-libs/aiohttp) | `3.14.0` -> `3.14.1` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/aiohttp/3.14.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/aiohttp/3.14.0/3.14.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2026-54278](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-g3cq-j2xw-wf74) ### Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. ### Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). ### Workaround Disable compression if unable to upgrade. ----- Patch: aio-libs/aiohttp@4f7480e #### [CVE-2026-54279](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-2fqr-mr3j-6wp8) ### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed. ----- Patch: aio-libs/aiohttp@a329a7a #### [CVE-2026-54280](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-9x8q-7h8h-wcw9) ### Summary Payload resources are not closed correctly when a client disconnects in the middle of a write. ### Impact If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file. ----- Patch: aio-libs/aiohttp@a762eda #### [CVE-2026-54276](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-hpj7-wq8m-9hgp) ### Summary ``DigestAuthMiddleware`` can send an authentication response after following a cross-origin redirect. ### Impact If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest. This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse. ### Workaround Disable ``follow_redirects`` if this is a concern. ----- Patch: aio-libs/aiohttp@38d1606 #### [CVE-2026-54274](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-xcgm-r5h9-7989) ### Summary If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. ### Impact If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive memory use. ----- Patch: aio-libs/aiohttp@14b6ee8 #### [CVE-2026-54275](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-4m7w-qmgq-4wj5) ### Summary The `server_hostname` TLS SNI check can be bypassed when an existing connection is reused. ### Impact If an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check. ### Workaround Disable keep_alive if you need to change the `server_hostname` check between requests. ----- Patch: aio-libs/aiohttp@0ca2b6c #### [CVE-2026-54277](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2) ### Summary It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. ### Impact If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS. ----- Patch: aio-libs/aiohttp@5ab61bb #### [CVE-2026-54273](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-4fvr-rgm6-gqmc) ### Summary No limit was present on the number of pipelined requests that could be queued. ### Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. ----- Patch: aio-libs/aiohttp@dfdfa9d --- ### Release Notes <details> <summary>aio-libs/aiohttp (aiohttp)</summary> ### [`v3.14.1`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3141-2026-06-07) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.14.0...v3.14.1) \=================== ## Bug fixes - Fixed a race condition in :py:class:`~aiohttp.TCPConnector` where closing the connector while a DNS resolution was in-flight could raise :py:exc:`AttributeError` instead of :py:exc:`~aiohttp.ClientConnectionError` -- by :user:`goingforstudying-ctrl`. *Related issues and pull requests on GitHub:* :issue:`12497`. - Fixed `CancelledError` not closing a connection -- by :user:`aiolibsbot`. *Related issues and pull requests on GitHub:* :issue:`12795`. - Tightened up some websocket parser checks -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12817`. - Fixed :class:`~aiohttp.CookieJar` dropping the host-only flag of cookies when persisted with :meth:`~aiohttp.CookieJar.save` and reloaded with :meth:`~aiohttp.CookieJar.load`, so a cookie set without a `Domain` attribute is again scoped to the exact host that set it after a reload; the absolute expiration deadline is now persisted as well, so a reloaded cookie keeps its original lifetime instead of being rescheduled from the load time. :meth:`~aiohttp.CookieJar.load` now replaces the jar contents rather than merging onto prior state, and loaded cookies pass through the same acceptance rules as :meth:`~aiohttp.CookieJar.update_cookies`, so a cookie for an IP-address host is dropped when loaded into a jar created without `unsafe=True` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12824`. - Scoped :class:`~aiohttp.DigestAuthMiddleware` credentials to the origin of the first request it handles, so a redirect to a different origin no longer triggers a digest response computed from the configured credentials; a challenge from another origin is only answered when that origin falls within a protection space advertised by the anchor origin through the RFC 7616 `domain` directive -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12825`. - Fixed the C HTTP parser not enforcing `max_line_size` on a request target or response reason phrase that is split across multiple reads; each fragment was checked on its own, so an accumulated line could exceed the limit without raising `LineTooLong`. The accumulated length is now checked, matching the pure-Python parser -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12826`. - Changed :class:`~aiohttp.TCPConnector` to reject legacy non-canonical numeric IPv4 host forms such as `2130706433`, `017700000001` and `127.1` with :exc:`~aiohttp.InvalidUrlClientError`; only canonical dotted-quad IPv4 literals are now treated as IP address literals, while every other host is sent through the configured resolver -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12827`. - Fixed :meth:`~aiohttp.StreamReader.readany` and :meth:`~aiohttp.StreamReader.read_nowait` joining data fed back into the buffer during the call (when draining below the low water mark resumes reading) into a single unbounded :class:`bytes`; a call now returns only the chunks that were buffered when it started, keeping the drain of an unread auto-decompressed request body bounded by the read buffer -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12828`. - Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests buffered per connection on the server; once the queue reaches an internal limit the parser stops emitting and the transport is paused, resuming as the request handler drains the queue, so a client keeping one handler busy can no longer accumulate an unbounded backlog of pipelined requests -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12830`. - Fixed :meth:`aiohttp.web.Response.write_eof` skipping `Payload.close()` when the body write was interrupted by an error or cancellation, for example when a client disconnects mid-response; the payload close hook now runs in a `finally` so a :class:`~aiohttp.payload.Payload` body always releases its resources -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12831`. - Fixed the pure-Python HTTP parser not enforcing `max_line_size` on a chunk-size line when the whole line arrived in a single read; the limit was only applied to chunk-size metadata split across reads. The complete-line case is now checked too, matching the split-line behavior -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12832`. - Included the per-request `server_hostname` override in the :class:`~aiohttp.TCPConnector` connection pool key, so a pooled TLS connection is no longer reused for a request that sets `server_hostname` to a different value -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12835`. *** </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJweXRob24iLCJyZW5vdmF0ZSJdfQ==--> Co-authored-by: Renovate Bot <renovate@whitesourcesoftware.com>
1 parent ad67887 commit 4447e3e

1 file changed

Lines changed: 120 additions & 120 deletions

File tree

0 commit comments

Comments
 (0)