Primary

Context

AIOHTTP Request Smuggling Vulnerability via Non-ASCII Decimals in Range Header

Vulnerability

Patched

A request smuggling vulnerability has been identified in AIOHTTP versions through 3.13.2. The issue arises because the parser logic allows non-ASCII decimals to be included in the Range header. While there is no known impact, this behavior could potentially be exploited.

Impact

Exploitation could lead to a request smuggling vulnerability.

Reproduction

The vulnerability can be reproduced by sending a request with a Range header that includes non-ASCII decimal characters, such as Devanagari digits. The server will accept the header, but the non-ASCII characters could be used to manipulate the request in a way that exploits the smuggling vulnerability.

Remediation

Users can upgrade to AIOHTTP version 3.13.3 or later to address this vulnerability.

Added: Jan 6, 2026, 12:24 AM

Updated: Jan 6, 2026, 12:24 AM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

0.0

exploitability

8.4

remediation

7.7

relevance

1.9

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

0.0

exploitability

8.4

remediation

7.7

relevance

1.9

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

AIOHTTP Request Smuggling Vulnerability via Non-ASCII Decimals in Range Header

Vulnerability

Impact

Reproduction

Remediation

Affected Products

aio-libs aiohttp

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating