Commit d03de8a
authored
chore(deps): update dependency aiohttp to v3.13.4 [security] (#16518)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [aiohttp](https://redirect.github.com/aio-libs/aiohttp) | `==3.13.3` →
`==3.13.4` |
|
|
### GitHub Vulnerability Alerts
####
[CVE-2026-22815](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-w2fm-2cpv-w7v5)
### Summary
Insufficient restrictions in header/trailer handling could cause
uncapped memory usage.
### Impact
An application could cause memory exhaustion when receiving an attacker
controlled request or response. A vulnerable web application could
mitigate these risks with a typical reverse proxy configuration.
-----
Patch:
aio-libs/aiohttp@0c2e9da
####
[CVE-2026-34513](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-hcc4-c3v8-rx92)
### Summary
An unbounded DNS cache could result in excessive memory usage possibly
resulting in a DoS situation.
### Impact
If an application makes requests to a very large number of hosts, this
could cause the DNS cache to continue growing and slowly use excessive
amounts of memory.
-----
Patch:
aio-libs/aiohttp@c4d77c3
####
[CVE-2026-34514](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5)
### Summary
An attacker who controls the `content_type` parameter in aiohttp could
use this to inject extra headers or similar exploits.
### Impact
If an application allows untrusted data to be used for the multipart
`content_type` parameter when constructing a request, an attacker may be
able to manipulate the request to send something other than what the
developer intended.
-----
Patch:
aio-libs/aiohttp@9a6ada9
####
[CVE-2026-34515](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-p998-jp59-783m)
### Summary
On Windows the static resource handler may expose information about a
NTLMv2 remote path.
### Impact
If an application is running on Windows, and using aiohttp's static
resource handler (not recommended in production), then it may be
possible for an attacker to extract the hash from an NTLMv2 path and
then extract the user's credentials from there.
-----
Patch:
aio-libs/aiohttp@0ae2aa0
####
[CVE-2026-34516](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-m5qp-6w8w-w647)
### Summary
A response with an excessive number of multipart headers may be allowed
to use more memory than intended, potentially allowing a DoS
vulnerability.
### Impact
Multipart headers were not subject to the same size restrictions in
place for normal headers, potentially allowing substantially more data
to be loaded into memory than intended. However, other restrictions in
place limit the impact of this vulnerability.
-----
Patch:
aio-libs/aiohttp@8a74257
####
[CVE-2026-34517](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-3wq7-rqq7-wx6j)
### Summary
For some multipart form fields, aiohttp read the entire field into
memory before checking client_max_size.
### Impact
If an application uses `Request.post()` an attacker can send a specially
crafted multipart request to force significant temporary memory
allocation even when the request is ultimately rejected.
-----
Patch:
aio-libs/aiohttp@cbb774f
####
[CVE-2026-34518](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-966j-vmvw-g2g9)
### Summary
When following redirects to a different origin, aiohttp drops the
Authorization header, but retains the Cookie and Proxy-Authorization
headers.
### Impact
The Cookie and Proxy-Authorizations headers could contain sensitive
information which may be leaked to an unintended party after following a
redirect.
-----
Patch:
aio-libs/aiohttp@5351c98
####
[CVE-2026-34519](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-mwh4-6h8g-pg8w)
### Summary
An attacker who controls the `reason` parameter when creating a
`Response` may be able to inject extra headers or similar exploits.
### Impact
In the unlikely situation that an application allows untrusted data to
be used in the response's `reason` parameter, then an attacker could
manipulate the response to send something different from what the
developer intended.
-----
Patch:
aio-libs/aiohttp@53b35a2
####
[CVE-2026-34520](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf)
### Summary
The C parser (the default for most installs) accepted null bytes and
control characters is response headers.
### Impact
An attacker could send header values that are interpreted differently
than expected due to the presence of control characters. For example,
`request.url.origin()` may return a different value than the raw Host
header, or what a reverse proxy interpreted it as., potentially
resulting in some kind of security bypass.
-----
Patch:
aio-libs/aiohttp@9370b97
####
[CVE-2026-34525](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67)
### Summary
Multiple Host headers were allowed in aiohttp.
### Impact
Mostly this doesn't affect aiohttp security itself, but if a reverse
proxy is applying security rules depending on the target Host, it is
theoretically possible that the proxy and aiohttp could process
different host names, possibly resulting in bypassing a security check
on the proxy and getting a request processed by aiohttp in a privileged
sub app when using `Application.add_domain()`.
-----
Patch:
aio-libs/aiohttp@e00ca3c
Patch:
aio-libs/aiohttp@53e2e6f
---
### Release Notes
<details>
<summary>aio-libs/aiohttp (aiohttp)</summary>
###
[`v3.13.4`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3134-2026-03-28)
[Compare
Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.13.3...v3.13.4)
\===================
## Features
- Added `max_headers` parameter to limit the number of headers that
should be read from a response -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`11955`.
- Added a `dns_cache_max_size` parameter to `TCPConnector` to limit the
size of the cache -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`12106`.
## Bug fixes
- Fixed server hanging indefinitely when chunked transfer encoding
chunk-size
does not match actual data length. The server now raises
`TransferEncodingError` instead of waiting forever for data that will
never arrive -- by :user:`Fridayai700`.
*Related issues and pull requests on GitHub:*
:issue:`10596`.
- Fixed access log timestamps ignoring daylight saving time (DST)
changes. The
previous implementation used :py:data:`time.timezone` which is a
constant and
does not reflect DST transitions -- by :user:`nightcityblade`.
*Related issues and pull requests on GitHub:*
:issue:`11283`.
- Fixed `RuntimeError: An event loop is running` error when using
`aiohttp.GunicornWebWorker`
or `aiohttp.GunicornUVLoopWebWorker` on Python >=3.14.
\-- by :user:`Tasssadar`.
*Related issues and pull requests on GitHub:*
:issue:`11701`.
- Fixed :exc:`ValueError` when creating a TLS connection with
`ClientTimeout(total=0)` by converting `0` to `None` before passing to
`ssl_handshake_timeout` in :py:meth:`asyncio.loop.start_tls` -- by
:user:`veeceey`.
*Related issues and pull requests on GitHub:*
:issue:`11859`.
- Restored :py:meth:`~aiohttp.BodyPartReader.decode` as a synchronous
method
for backward compatibility. The method was inadvertently changed to
async
in 3.13.3 as part of the decompression bomb security fix. A new
:py:meth:`~aiohttp.BodyPartReader.decode_iter` method is now available
for non-blocking decompression of large payloads using an async
generator.
Internal aiohttp code uses the async variant to maintain security
protections.
Changed multipart processing chunk sizes from 64 KiB to 256KiB, to
better
match aiohttp internals
\-- by :user:`bdraco` and :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`11898`.
- Fixed false-positive :py:class:`DeprecationWarning` for passing
`enable_cleanup_closed=True` to :py:class:`~aiohttp.TCPConnector`
specifically on Python 3.12.7.
\-- by :user:`Robsdedude`.
*Related issues and pull requests on GitHub:*
:issue:`11972`.
- Fixed \_sendfile\_fallback over-reading beyond requested count -- by
:user:`bysiber`.
*Related issues and pull requests on GitHub:*
:issue:`12096`.
- Fixed digest auth dropping challenge fields with empty string values
-- by :user:`bysiber`.
*Related issues and pull requests on GitHub:*
:issue:`12097`.
- `ClientConnectorCertificateError.os_error` no longer raises
:exc:`AttributeError`
\-- by :user:`themylogin`.
*Related issues and pull requests on GitHub:*
:issue:`12136`.
- Adjusted pure-Python request header value validation to align with RFC
9110 control-character handling, while preserving lax response parser
behavior, and added regression tests for Host/header control-character
cases.
\-- by :user:`rodrigobnogueira`.
*Related issues and pull requests on GitHub:*
:issue:`12231`.
- Rejected duplicate singleton headers (`Host`, `Content-Type`,
`Content-Length`, etc.) in the C extension HTTP parser to match
the pure Python parser behaviour, preventing potential host-based
access control bypasses via parser differentials
\-- by :user:`rodrigobnogueira`.
*Related issues and pull requests on GitHub:*
:issue:`12240`.
- Aligned the pure-Python HTTP request parser with the C parser by
splitting
comma-separated and repeated `Connection` header values for keep-alive,
close, and upgrade handling -- by :user:`rodrigobnogueira`.
*Related issues and pull requests on GitHub:*
:issue:`12249`.
## Improved documentation
- Documented :exc:`asyncio.TimeoutError` for
`WebSocketResponse.receive()`
and related methods -- by :user:`veeceey`.
*Related issues and pull requests on GitHub:*
:issue:`12042`.
## Packaging updates and notes for downstreams
- Upgraded llhttp to 3.9.1 -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`12069`.
## Contributor-facing changes
- The benchmark CI job now runs only in the upstream repository -- by
:user:`Cycloctane`.
It used to always fail in forks, which this change fixed.
*Related issues and pull requests on GitHub:*
:issue:`11737`.
- Fixed flaky performance tests by using appropriate fixed thresholds
that account for CI variability -- by :user:`rodrigobnogueira`.
*Related issues and pull requests on GitHub:*
:issue:`11992`.
## Miscellaneous internal changes
- Fixed `test_invalid_idna` to work with `idna` 3.11 by using an invalid
character (`\u0080`) that is rejected by `yarl` during URL construction
-- by :user:`rodrigobnogueira`.
*Related issues and pull requests on GitHub:*
:issue:`12027`.
- Fixed race condition in `test_data_file` on Python 3.14 free-threaded
builds -- by :user:`rodrigobnogueira`.
*Related issues and pull requests on GitHub:*
:issue:`12170`.
***
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/googleapis/google-cloud-python).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuNyIsInVwZGF0ZWRJblZlciI6IjQzLjEwMi43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->1 parent a7b8462 commit d03de8a
1 file changed
+121
-121
lines changed
0 commit comments