aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
- When
- Where
- Global (internet)
- Category
- cyber_advisory · pip
### Summary The `server_hostname` TLS SNI check can be bypassed when an existing connection is reused. ### Impact If an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check. ### Workaround Disable keep_alive if you need to change the `server_hostname` check between requests. ----- Patch: https://github.com/aio-libs/aiohttp/commit/0ca2b6c28a25726527a8b60f25960262a91ed0e0
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-15 20:11 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.