Skip to content

HTTP response splitting via \r in reason phrase

Low
Dreamsorcerer published GHSA-mwh4-6h8g-pg8w Apr 1, 2026

Package

pip aiohttp (pip)

Affected versions

<=3.13.3

Patched versions

3.13.4

Description

Summary

An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits.

Impact

In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the response to send something different from what the developer intended.

Patch: 53b35a2

Severity

Low

CVE ID

CVE-2026-34519

Weaknesses

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. Learn more on MITRE.

Credits