CVE-2026-34514: AIOHTTP XSS Vulnerability via Header Injection

CVE-2026-34514 Overview

A header injection vulnerability exists in the AIOHTTP asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could exploit insufficient input validation to inject extra headers or conduct similar attacks. This vulnerability is classified as CWE-113 (HTTP Response Splitting), which occurs when untrusted data is included in HTTP response headers without proper sanitization.

Critical Impact

Attackers controlling user input in the content_type parameter can inject newline characters to add arbitrary HTTP headers, potentially enabling cache poisoning, session hijacking, or cross-site scripting attacks.

Affected Products

• AIOHTTP versions prior to 3.13.4
• Python applications using vulnerable AIOHTTP multipart form data handling
• Web services built on asyncio frameworks leveraging AIOHTTP for HTTP operations

Discovery Timeline

• April 1, 2026 - CVE-2026-34514 published to NVD
• April 1, 2026 - Last updated in NVD database

Technical Details for CVE-2026-34514

Vulnerability Analysis

This vulnerability stems from improper input validation in AIOHTTP's multipart form data handling. When processing the content_type parameter, the framework failed to validate that the input did not contain carriage return (\r) or newline (\n) characters. These special characters serve as delimiters in HTTP headers, and their presence in user-controlled input enables HTTP Response Splitting attacks.

HTTP Response Splitting allows an attacker to craft malicious input that terminates the current header and injects additional headers or even a complete HTTP response body. This can lead to various attack scenarios including cache poisoning (where intermediate proxies cache malicious content), session fixation (by injecting Set-Cookie headers), and reflected XSS when the injected content is rendered by browsers.

Root Cause

The root cause is missing validation of the content_type parameter in the aiohttp/formdata.py module. The code accepted arbitrary string values for the content_type field without checking for HTTP header delimiter characters. When these values were subsequently included in HTTP headers, the newline characters would be interpreted as header boundaries by HTTP parsers, allowing injection of arbitrary header content.

Attack Vector

The attack vector is network-based and requires the attacker to control the content_type parameter passed to AIOHTTP's multipart form handling functions. An attacker could craft a malicious content_type value containing CRLF sequences (\r\n) followed by arbitrary header content. When the application processes this input and constructs the HTTP response, the injected headers would be included in the response sent to clients or downstream systems.

                 raise TypeError(
                     "content_type must be an instance of str. Got: %s" % content_type
                 )
+            if "\r" in content_type or "\n" in content_type:
+                raise ValueError(
+                    "Newline or carriage return detected in headers. "
+                    "Potential header injection attack."
+                )
             headers[hdrs.CONTENT_TYPE] = content_type
             self._is_multipart = True
         if content_transfer_encoding is not None:

Source: GitHub Commit Update

Detection Methods for CVE-2026-34514

Indicators of Compromise

• Presence of \r or \n characters in Content-Type headers within application logs
• Unusual or malformed HTTP headers in web server access logs that suggest injection attempts
• Multiple Content-Type headers in single HTTP responses indicating successful header injection

Detection Strategies

• Implement log monitoring to detect CRLF sequences (%0d%0a or \r\n) in HTTP request parameters
• Deploy web application firewalls (WAF) with rules to block requests containing newline characters in header values
• Audit Python application dependencies to identify AIOHTTP versions prior to 3.13.4

Monitoring Recommendations

• Enable verbose logging in AIOHTTP applications to capture all incoming content_type values
• Monitor for ValueError exceptions with the message "Newline or carriage return detected in headers" after patching, as this indicates attempted exploitation
• Set up alerting for anomalous HTTP response patterns that may indicate successful header injection

How to Mitigate CVE-2026-34514

Immediate Actions Required

• Upgrade AIOHTTP to version 3.13.4 or later immediately
• Review application code for any user-controlled input that is passed to AIOHTTP's content_type parameter
• Implement input validation at the application layer to reject content_type values containing CRLF characters as a defense-in-depth measure

Patch Information

The vulnerability has been patched in AIOHTTP version 3.13.4. The fix adds explicit validation to reject content_type values containing carriage return or newline characters before they are used in HTTP headers. Organizations should upgrade to this version or later to remediate the vulnerability. Detailed patch information is available in the GitHub Security Advisory GHSA-2vrm-gr82-f7m5 and the GitHub Release v3.13.4.

Workarounds

• Sanitize all user input before passing to AIOHTTP functions by stripping or rejecting values containing \r or \n characters
• Use a web application firewall to filter requests with suspicious characters in content-type related parameters
• Implement strict Content-Type allowlists at the application layer to only permit known-safe MIME types

# Upgrade AIOHTTP to patched version
pip install --upgrade aiohttp>=3.13.4

# Verify installed version
pip show aiohttp | grep Version