Technologyglobal✓ verified · 90%

aiohttp: CRLF injection in multipart headers

Name: aiohttp: CRLF injection in multipart headers
Start: 2026-06-15T20:07:26Z
Location: Global (internet)

When: 2026-06-15 20:07 UTC
Where: Global (internet)
Category: cyber_advisory · pip

### Summary Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. ### Impact In the unlikely situation that an application is passing user-controlled strings into `MultipartWriter.append(headers=...)` or `Payload.headers`, then an attacker may be able to modify the request to inject headers or change the contents of the request. ### Workaround Sanitise such user input. ----- Patch: https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8

Sources

GitHub Advisory Database ↗ · first seen 2026-06-15 20:07 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

← Back to the live map