Jun 3, 2026·6 min read·42 visits
AIOHTTP fails to clear the per-request `cookies` parameter during cross-origin redirects, causing sensitive cookies to be transmitted to untrusted third-party servers.
AIOHTTP prior to version 3.14.0 fails to clear request-specific cookies when executing cross-origin automatic HTTP redirects. This vulnerability allows remote web servers to harvest sensitive credentials and session cookies originally scoped to an authorized target domain.
The AIOHTTP asynchronous HTTP client framework for Python is widely utilized in microservice architectures, web scrapers, and automated integration pipelines. When executing outbound HTTP requests, applications frequently handle stateful sessions using cookies. AIOHTTP manages these credentials using either a session-level global cookie jar or request-specific parameters.
This vulnerability lies within the origin validation boundaries of the redirect resolution process. Specifically, when an HTTP request initiated by an AIOHTTP client receives an automatic redirect status code, the library resolves the new location and determines if the destination resides on a different origin.
If the redirect target constitutes a different origin (by scheme, host, or port), the framework is designed to sanitize the outgoing request to prevent credential disclosure. However, under CWE-346 (Origin Validation Error), the sanitization logic fails to address request-specific local variables. Consequently, sensitive authentication tokens are unintentionally forwarded to untrusted external domains.
To understand the root cause, it is necessary to examine how AIOHTTP isolates request-specific state. When invoking client requests via ClientSession._request(), a developer can supply cookies using the cookies argument, such as session.get(url, cookies={'session_id': 'secret'}). These arguments are handled locally within the request lifecycle rather than being merged into the persistent, domain-constrained CookieJar class.
When a remote server issues a redirect response (e.g., 301, 302, or 307) and redirection is enabled, the client framework executes a loop in _connect_and_send_request to dispatch subsequent queries. During a cross-origin transition, the following logical evaluation is performed:
if url.origin() != redirect_origin:
auth = None
headers.pop(hdrs.AUTHORIZATION, None)
headers.pop(hdrs.COOKIE, None)
headers.pop(hdrs.PROXY_AUTHORIZATION, None)While this sanitization process successfully purges standard HTTP headers like Authorization and Cookie from the request headers dictionary, it fails to alter or nullify the local cookies variable. Because this variable remains bound to the execution scope of the loop, it is passed directly into the subsequent ClientRequest constructor for the new, cross-origin URL. The constructor then generates a new Cookie header from this pristine local variable and transmits it to the external destination.
The official patch introduced in commit f54c40851b0d6c4bbdab97ba518a223adda32478 resolves the bug by explicitly purging the local cookies variable alongside standard HTTP headers.
# Source: aiohttp/client.py
@@ -971,6 +971,7 @@ async def _connect_and_send_request(
if url.origin() != redirect_origin:
auth = None
+ cookies = None
headers.pop(hdrs.AUTHORIZATION, None)
headers.pop(hdrs.COOKIE, None)
headers.pop(hdrs.PROXY_AUTHORIZATION, None)By adding cookies = None, the client ensures that the subsequent call to the ClientRequest constructor receives an empty state for the per-request cookies parameter, preventing the re-creation of the Cookie header.
While this fix is highly effective at stopping parameter leakage, security engineers must remain aware of adjacent attack surfaces. Specifically, the origin validation relies on the yarl library's url.origin() method. Parser differentials between yarl and downstream socket resolution libraries regarding malformed URLs or Unicode Internationalized Domain Names (IDNs) could hypothetically still lead to origin confusion. Additionally, custom API authorization headers, such as X-API-Key or X-Auth-Token, are not explicitly stripped by this logic and will continue to propagate across redirects.
An exploitation scenario requires an attacker to control or influence the redirect destination of an HTTP request initiated by an AIOHTTP client. This is common in server-side request forgery (SSRF) entry points, webhook processing systems, or open-redirect vulnerabilities hosted on a target domain.
To exploit this vulnerability, an attacker can manipulate an API endpoint to return a redirect response to an attacker-controlled server. If the vulnerable client executes the request using local parameters, the credentials are automatically leaked to the attacker's endpoint:
# Vulnerable configuration
async with aiohttp.ClientSession() as session:
# Under affected versions, the cookie below is forwarded to attacker.com upon redirection
await session.get("https://target.com/api", cookies={"session_id": "SECRET"})When the client encounters a 302 Found directing it to https://attacker.com, it automatically connects to the external server. The server's connection log then captures the incoming request containing the valid, unexpired Cookie: session_id=SECRET header.
The potential impact of this vulnerability depends on the lifecycle and privilege level of the leaked cookies. If the client uses session identifiers, administrative JSON Web Tokens (JWTs), or authentication cookies to communicate with stateful APIs, an attacker gaining these values can perform session hijacking or unauthorized API transactions.
This vulnerability has been assigned a CVSS v4.0 score of 6.6 (Medium) with a vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U. The confidentiality impact on the client execution environment is marked as High because authentication tokens can be recovered by unauthorized external entities.
Currently, the Exploit Prediction Scoring System (EPSS) score remains low at 0.00019 (0.019% probability), reflecting the absence of weaponized public exploits or active exploitation in the wild. Nonetheless, applications performing high-volume server-side HTTP client requests are at distinct risk if they process dynamic redirects without strict input sanitization.
The definitive resolution for CVE-2026-47265 is upgrading the aiohttp library to version 3.14.0 or later. This ensures that the framework's internal redirection logic correctly purges local cookies prior to executing cross-origin requests.
pip install --upgrade aiohttp>=3.14.0For environments where an immediate library upgrade is not feasible, developers must refactor request invocations to construct the standard Cookie header explicitly within the headers argument rather than relying on the cookies argument. This ensures that existing header-clearing routines remove the sensitive data before cross-origin requests are dispatched:
# INSECURE pattern in < 3.14.0
await session.get("https://target.com", cookies={"token": "secret"})
# SECURE workaround pattern in all versions
headers = {"Cookie": "token=secret"}
await session.get("https://target.com", headers=headers)Additionally, implementing a strict egress control policy or disabling redirects (allow_redirects=False) on requests containing sensitive credentials provides an extra layer of defense.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U| Product | Affected Versions | Fixed Version |
|---|---|---|
aiohttp aio-libs | < 3.14.0 | 3.14.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-346: Origin Validation Error |
| Attack Vector | Network |
| CVSS Score | 6.6 (Medium) |
| EPSS Score | 0.00019 (Percentile: 5.36%) |
| Impact | High Confidentiality Loss (Credential Leakage) |
| Exploit Status | none |
| CISA KEV Status | Not Listed |
The software does not properly control or validate the origin of a request or message, potentially leading to unauthorized operations or data disclosure.
A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.
An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.
CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.
A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.
CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.
A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.