Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2025-43859 h11: h11 accepts some malformed Chunked-Encoding bodiesCVE-2024-23334 aiohttp: follow_symlinks directory traversal vulnerabilityCVE-2024-30251 aiohttp: DoS when trying to parse malformed POST requestsCVE-2025-69223 aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bombCVE-2023-47627 python-aiohttp: numerous issues in HTTP parser with header parsingCVE-2023-49081 aiohttp: HTTP request modificationCVE-2023-49082 aiohttp: CRLF injection if user controls the HTTP method using aiohttp clientCVE-2024-23829 python-aiohttp: http request smugglingCVE-2024-27306 aiohttp: XSS on index pages for static file handlingCVE-2024-52304 aiohttp: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensionsCVE-2025-69227 aiohttp: aiohttp: Denial of Service via specially crafted POST requestCVE-2025-69228 aiohttp: aiohttp: Denial of Service via memory exhaustion from crafted POST requestCVE-2025-69229 aiohttp: AIOHTTP: Denial of Service via excessive CPU usage in chunked message handlingCVE-2026-22815 aiohttp: AIOHTTP: Denial of Service via insufficient header/trailer handlingCVE-2026-34515 aiohttp: AIOHTTP: Information disclosure via static resource handler on WindowsCVE-2026-34516 aiohttp: AIOHTTP: Denial of Service via excessive multipart headersCVE-2026-34525 aiohttp: aiohttp: Security bypass via multiple Host headersCVE-2026-34993 aiohttp: AIOHTTP: Arbitrary code execution via untrusted input to CookieJar.load()CVE-2026-47265 python-aiohttp: AIOHTTP: Information disclosure via improper handling of cookies during cross-origin redirectsCVE-2026-54273 aiohttp: AIOHTTP: Denial of Service via excessive pipelined requestsCVE-2026-54274 aiohttp: aiohttp: Denial of Service via incomplete websocket frame payloadsCVE-2026-54276 aiohttp: aiohttp: Information disclosure via DigestAuthMiddleware after cross-origin redirectCVE-2026-54277 aiohttp: aiohttp: Denial of Service via oversized HTTP request lines bypassing max_line_size checkCVE-2026-54278 aiohttp: aiohttp: Denial of Service due to excessive memory consumption from compressed request bodyGHSA-pjjw-qhg8-p2p9 aiohttp has vulnerable dependency that is vulnerable to request smugglingYour dependencies cross-checked against the OSV vulnerability database.
GHSA-63hf-3vf5-4wqf AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypassPYSEC-2026-348 h11 accepts some malformed Chunked-Encoding bodiesPYSEC-2023-246 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parserPYSEC-2023-250 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create PYSEC-2023-251 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even creaPYSEC-2024-24 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static fiPYSEC-2024-26 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must triPYSEC-2026-237 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an applicatGHSA-4fvr-rgm6-gqmc aiohttp: HTTP/1 Pipelined Requests Queue Without LimitGHSA-5m98-qgg9-wh84 aiohttp vulnerable to Denial of Service when trying to parse malformed POST requestsGHSA-63hw-fmq6-xxg2 aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented LinesGHSA-6jhg-hg63-jvvf AIOHTTP vulnerable to denial of service through large payloadsGHSA-6mq8-rvhq-8wgg AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bombGHSA-7gpw-8wmc-pm8g aiohttp Cross-site Scripting vulnerability on index pages for static file handlingGHSA-8495-4g3g-x7pr aiohttp allows request smuggling due to incorrect parsing of chunk extensionsGHSA-966j-vmvw-g2g9 AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirectGHSA-c427-h43c-vf67 AIOHTTP accepts duplicate Host headersGHSA-g3cq-j2xw-wf74 aiohttp: Unread Compressed Request Bodies Bypass client_max_size During CleanupGHSA-g84x-mcqj-x9qq AIOHTTP vulnerable to DoS through chunked messagesGHSA-hg6j-4rv6-33pg AIOHTTP is vulnerable to cross-origin redirect with per-request cookiesGHSA-hpj7-wq8m-9hgp aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect ChallengesGHSA-jg22-mg44-37j8 AIOHTTP is Vulnerable to Deserialization of Untrusted DataGHSA-jj3x-wxrx-4x23 AIOHTTP vulnerable to DoS when bypassing assertsGHSA-m5qp-6w8w-w647 AIOHTTP has a Multipart Header Size BypassGHSA-p998-jp59-783m AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on WindowsCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
Nothing found by this check. ✓
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.