Volerion logoVolerion
Volerion logoVolerion

AIOHTTP Cross-Origin Redirect Header Leakage Vulnerability

Vulnerability

A vulnerability in AIOHTTP, an asynchronous HTTP client/server framework for Python, allows for the unintentional leakage of sensitive header information during cross-origin redirects. Prior to version 3.13.4, AIOHTTP would drop the Authorization header but retain the Cookie and Proxy-Authorization headers when following redirects to a different origin. This behavior could lead to the exposure of sensitive information to unintended parties.

Impact

The vulnerability could result in the unintentional leakage of Cookie and Proxy-Authorization headers, which may contain sensitive information, to an unintended party after following a redirect.

Reproduction

To reproduce this vulnerability, send a request using AIOHTTP that includes an Authorization header, along with Cookie and Proxy-Authorization headers. Ensure that the request is redirected to a different origin. After the redirect, the Authorization header will be dropped, but the Cookie and Proxy-Authorization headers will be retained, allowing any sensitive information they contain to be leaked to the new origin.

Remediation

Users can upgrade to AIOHTTP version 3.13.4 or later, where this vulnerability has been patched.

Added: Apr 1, 2026, 9:50 PM
Updated: Apr 1, 2026, 9:50 PM

Vulnerability Rating

Custom Algorithm
spread
7.3
impact
2.5
exploitability
7.2
remediation
7.7
relevance
5.1
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.