Update dependency aiohttp to v3.12.14 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
aiohttp	3.8.6 -> 3.12.14

GitHub Vulnerability Alerts

CVE-2023-49082

Summary

Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.

Details

The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.

Previous releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.

PoC

A minimal example can be found here:
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b

Impact

If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).

Workaround

If unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).

Patch: https://github.com/aio-libs/aiohttp/pull/7806/files

CVE-2023-49081

Summary

Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version.

Details

The vulnerability only occurs if the attacker can control the HTTP version of the request (including its type).
For example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the version parameter.
Furthermore, the vulnerability only occurs when the Connection header is passed to the headers parameter.

At this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection.

PoC

The POC below shows an example of providing an unvalidated array as a version:
https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e

Impact

CRLF injection leading to Request Smuggling.

Workaround

If these specific conditions are met and you are unable to upgrade, then validate the user input to the version parameter to ensure it is a str.

Patch: https://github.com/aio-libs/aiohttp/pull/7835/files

CVE-2024-23829

Summary

Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.

Details

These problems are rooted in pattern matching protocol elements, previously improved by PR #​3235 and GHSA-gfw2-4jvh-wgfg:

1. The expression HTTP/(\d).(\d) lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result: HTTP/(\d)\.(\d)).

2. The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.

3. Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 token.

PoC

GET / HTTP/1ö1
GET / HTTP/1.𝟙
GET/: HTTP/1.1
Content-Encoding?: chunked

Impact

Primarily concerns running an aiohttp server without llhttp:

1. behind a proxy: Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling.
2. directly accessible or exposed behind proxies relaying malformed input: the unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities.

---

Patch: https://github.com/aio-libs/aiohttp/pull/8074/files

CVE-2024-23334

Summary

Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.

Details

When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.

i.e. An application is only vulnerable with setup code like:

app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to avoid the vulnerability
])

Impact

This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with follow_symlinks set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of the follow_symlinks parameter.

Workaround

Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.

If using follow_symlinks=True outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.

Additionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.

---

Patch: https://github.com/aio-libs/aiohttp/pull/8079/files

CVE-2024-27306

Summary

A XSS vulnerability exists on index pages for static file handling.

Details

When using web.static(..., show_index=True), the resulting index pages do not escape file names.

If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.

Workaround

We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.

Other users can disable show_index if unable to upgrade.

---

Patch: https://github.com/aio-libs/aiohttp/pull/8319/files

CVE-2024-30251

Summary

An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.

Impact

An attacker can stop the application from serving requests after sending a single request.

---

For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in _read_chunk_from_length()):

diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
index 227be605c..71fc2654a 100644
--- a/aiohttp/multipart.py
+++ b/aiohttp/multipart.py
@​@​ -338,6 +338,8 @​@​ class BodyPartReader:
         assert self._length is not None, "Content-Length required for chunked read"
         chunk_size = min(size, self._length - self._read_bytes)
         chunk = await self._content.read(chunk_size)
+        if self._content.at_eof():
+            self._at_eof = True
         return chunk
 
     async def _read_chunk_from_stream(self, size: int) -> bytes:

This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:
aio-libs/aiohttp@cebe526
aio-libs/aiohttp@7eecdff
aio-libs/aiohttp@f21c6f2

CVE-2024-52304

Summary

The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

---

Patch: aio-libs/aiohttp@259edc3

CVE-2025-53643

Summary

The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

---

Patch: aio-libs/aiohttp@e8d774f

---

Release Notes

aio-libs/aiohttp (aiohttp)

v3.12.14

Compare Source

====================

Bug fixes

• Fixed file uploads failing with HTTP 422 errors when encountering 307/308 redirects, and 301/302 redirects for non-POST methods, by preserving the request body when appropriate per :rfc:9110#section-15.4.3-3.1 -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11270.

• Fixed :py:meth:ClientSession.close() <aiohttp.ClientSession.close> hanging indefinitely when using HTTPS requests through HTTP proxies -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11273.

• Bumped minimum version of aiosignal to 1.4+ to resolve typing issues -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11280.

Features

• Added initial trailer parsing logic to Python HTTP parser -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11269.

Improved documentation

• Clarified exceptions raised by WebSocketResponse.send_frame et al.
  -- by :user:DoctorJohn.

  Related issues and pull requests on GitHub:
  :issue:11234.

---

v3.12.13

Compare Source

====================

Bug fixes

• Fixed auto-created :py:class:~aiohttp.TCPConnector not using the session's event loop when :py:class:~aiohttp.ClientSession is created without an explicit connector -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11147.

---

v3.12.12

Compare Source

====================

Bug fixes

• Fixed cookie unquoting to properly handle octal escape sequences in cookie values (e.g., \012 for newline) by vendoring the correct _unquote implementation from Python's http.cookies module -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11173.

• Fixed Cookie header parsing to treat attribute names as regular cookies per :rfc:6265#section-5.4 -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11178.

---

v3.12.11

Compare Source

====================

Features

• Improved SSL connection handling by changing the default ssl_shutdown_timeout
  from 0.1 to 0 seconds. SSL connections now use Python's default graceful
  shutdown during normal operation but are aborted immediately when the connector
  is closed, providing optimal behavior for both cases. Also added support for
  ssl_shutdown_timeout=0 on all Python versions. Previously, this value was
  rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
  Python < 3.11 now trigger a RuntimeWarning -- by :user:bdraco.

  The ssl_shutdown_timeout parameter is now deprecated and will be removed in
  aiohttp 4.0 as there is no clear use case for changing the default.

  Related issues and pull requests on GitHub:
  :issue:11148.

Deprecations (removal in next major release)

• Improved SSL connection handling by changing the default ssl_shutdown_timeout
  from 0.1 to 0 seconds. SSL connections now use Python's default graceful
  shutdown during normal operation but are aborted immediately when the connector
  is closed, providing optimal behavior for both cases. Also added support for
  ssl_shutdown_timeout=0 on all Python versions. Previously, this value was
  rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
  Python < 3.11 now trigger a RuntimeWarning -- by :user:bdraco.

  The ssl_shutdown_timeout parameter is now deprecated and will be removed in
  aiohttp 4.0 as there is no clear use case for changing the default.

  Related issues and pull requests on GitHub:
  :issue:11148.

---

v3.12.10

Compare Source

====================

Bug fixes

• Fixed leak of aiodns.DNSResolver when :py:class:~aiohttp.TCPConnector is closed and no resolver was passed when creating the connector -- by :user:Tasssadar.

  This was a regression introduced in version 3.12.0 (:pr:10897).

  Related issues and pull requests on GitHub:
  :issue:11150.

---

v3.12.9

Compare Source

===================

Bug fixes

• Fixed IOBasePayload and TextIOPayload reading entire files into memory when streaming large files -- by :user:bdraco.

  When using file-like objects with the aiohttp client, the entire file would be read into memory if the file size was provided in the Content-Length header. This could cause out-of-memory errors when uploading large files. The payload classes now correctly read data in chunks of READ_SIZE (64KB) regardless of the total content length.

  Related issues and pull requests on GitHub:
  :issue:11138.

---

v3.12.8

Compare Source

===================

Features

• Added preemptive digest authentication to :class:~aiohttp.DigestAuthMiddleware -- by :user:bdraco.

  The middleware now reuses authentication credentials for subsequent requests to the same
  protection space, improving efficiency by avoiding extra authentication round trips.
  This behavior matches how web browsers handle digest authentication and follows
  :rfc:7616#section-3.6.

  Preemptive authentication is enabled by default but can be disabled by passing
  preemptive=False to the middleware constructor.

  Related issues and pull requests on GitHub:
  :issue:11128, :issue:11129.

---

v3.12.7

Compare Source

===================

.. warning::

This release fixes an issue where the quote_cookie parameter was not being properly
respected for shared cookies (domain="", path=""). If your server does not handle quoted
cookies correctly, you may need to disable cookie quoting by setting quote_cookie=False
when creating your :class:~aiohttp.ClientSession or :class:~aiohttp.CookieJar.
See :ref:aiohttp-client-cookie-quoting-routine for details.

Bug fixes

• Fixed cookie parsing to be more lenient when handling cookies with special characters
  in names or values. Cookies with characters like {, }, and / in names are now
  accepted instead of causing a :exc:~http.cookies.CookieError and 500 errors. Additionally,
  cookies with mismatched quotes in values are now parsed correctly, and quoted cookie
  values are now handled consistently whether or not they include special attributes
  like Domain. Also fixed :class:~aiohttp.CookieJar to ensure shared cookies (domain="", path="")
  respect the quote_cookie parameter, making cookie quoting behavior consistent for
  all cookies -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:2683, :issue:5397, :issue:7993, :issue:11112.

• Fixed an issue where cookies with duplicate names but different domains or paths
  were lost when updating the cookie jar. The :class:~aiohttp.ClientSession
  cookie jar now correctly stores all cookies even if they have the same name but
  different domain or path, following the :rfc:6265#section-5.3 storage model -- by :user:bdraco.

  Note that :attr:ClientResponse.cookies <aiohttp.ClientResponse.cookies> returns
  a :class:~http.cookies.SimpleCookie which uses the cookie name as a key, so
  only the last cookie with each name is accessible via this interface. All cookies
  can be accessed via :meth:ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall> if needed.

  Related issues and pull requests on GitHub:
  :issue:4486, :issue:11105, :issue:11106.

Miscellaneous internal changes

• Avoided creating closed futures in ResponseHandler that will never be awaited -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11107.

• Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11114.

---

v3.12.6

Compare Source

===================

Bug fixes

• Fixed spurious "Future exception was never retrieved" warnings for connection lost errors when the connector is not closed -- by :user:bdraco.

  When connections are lost, the exception is now marked as retrieved since it is always propagated through other means, preventing unnecessary warnings in logs.

  Related issues and pull requests on GitHub:
  :issue:11100.

---

v3.12.4

Compare Source

===================

Bug fixes

• Fixed connector not waiting for connections to close before returning from :meth:~aiohttp.BaseConnector.close (partial backport of :pr:3733) -- by :user:atemate and :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:1925, :issue:11074.

---

v3.12.3

Compare Source

===================

Bug fixes

• Fixed memory leak in :py:meth:~aiohttp.CookieJar.filter_cookies that caused unbounded memory growth
  when making requests to different URL paths -- by :user:bdraco and :user:Cycloctane.

  Related issues and pull requests on GitHub:
  :issue:11052, :issue:11054.

---

v3.12.2

Compare Source

===================

Bug fixes

• Fixed Content-Length header not being set to 0 for non-GET requests with None body -- by :user:bdraco.

  Non-GET requests (POST, PUT, PATCH, DELETE) with None as the body now correctly set the Content-Length header to 0, matching the behavior of requests with empty bytes (b""). This regression was introduced in aiohttp 3.12.1.

  Related issues and pull requests on GitHub:
  :issue:11035.

---

v3.12.1

Compare Source

====================

Bug fixes

• Fixed :class:~aiohttp.DigestAuthMiddleware to preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expecting algorithm=MD5-sess instead of algorithm=MD5-SESS)
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11352.

Improved documentation

• Remove outdated contents of aiohttp-devtools and aiohttp-swagger
  from Web_advanced docs.
  -- by :user:Cycloctane

  Related issues and pull requests on GitHub:
  :issue:11347.

Packaging updates and notes for downstreams

• Started including the llhttp :file:LICENSE file in wheels by adding vendor/llhttp/LICENSE to license-files in :file:setup.cfg -- by :user:threexc.

  Related issues and pull requests on GitHub:
  :issue:11226.

Contributor-facing changes

• Updated a regex in test_aiohttp_request_coroutine for Python 3.14.

  Related issues and pull requests on GitHub:
  :issue:11271.

---

v3.12.0

Compare Source

===================

Bug fixes

• Fixed :py:attr:~aiohttp.web.WebSocketResponse.prepared property to correctly reflect the prepared state, especially during timeout scenarios -- by :user:bdraco

  Related issues and pull requests on GitHub:
  :issue:6009, :issue:10988.

• Response is now always True, instead of using MutableMapping behaviour (False when map is empty)

  Related issues and pull requests on GitHub:
  :issue:10119.

• Fixed connection reuse for file-like data payloads by ensuring buffer
  truncation respects content-length boundaries and preventing premature
  connection closure race -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10325, :issue:10915, :issue:10941, :issue:10943.

• Fixed pytest plugin to not use deprecated :py:mod:asyncio policy APIs.

  Related issues and pull requests on GitHub:
  :issue:10851.

• Fixed :py:class:~aiohttp.resolver.AsyncResolver not using the loop argument in versions 3.x where it should still be supported -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10951.

Features

• Added a comprehensive HTTP Digest Authentication client middleware (DigestAuthMiddleware)
  that implements RFC 7616. The middleware supports all standard hash algorithms
  (MD5, SHA, SHA-256, SHA-512) with session variants, handles both 'auth' and
  'auth-int' quality of protection options, and automatically manages the
  authentication flow by intercepting 401 responses and retrying with proper
  credentials -- by :user:feus4177, :user:TimMenninger, and :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:2213, :issue:10725.

• Added client middleware support -- by :user:bdraco and :user:Dreamsorcerer.

  This change allows users to add middleware to the client session and requests, enabling features like
  authentication, logging, and request/response modification without modifying the core
  request logic. Additionally, the session attribute was added to ClientRequest,
  allowing middleware to access the session for making additional requests.

  Related issues and pull requests on GitHub:
  :issue:9732, :issue:10902, :issue:10945, :issue:10952, :issue:10959, :issue:10968.

• Allow user setting zlib compression backend -- by :user:TimMenninger

  This change allows the user to call :func:aiohttp.set_zlib_backend() with the
  zlib compression module of their choice. Default behavior continues to use
  the builtin zlib library.

  Related issues and pull requests on GitHub:
  :issue:9798.

• Added support for overriding the base URL with an absolute one in client sessions
  -- by :user:vivodi.

  Related issues and pull requests on GitHub:
  :issue:10074.

• Added host parameter to aiohttp_server fixture -- by :user:christianwbrock.

  Related issues and pull requests on GitHub:
  :issue:10120.

• Detect blocking calls in coroutines using BlockBuster -- by :user:cbornet.

  Related issues and pull requests on GitHub:
  :issue:10433.

• Added socket_factory to :py:class:aiohttp.TCPConnector to allow specifying custom socket options
  -- by :user:TimMenninger.

  Related issues and pull requests on GitHub:
  :issue:10474, :issue:10520, :issue:10961, :issue:10962.

• Started building armv7l manylinux wheels -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10797.

• Implemented shared DNS resolver management to fix excessive resolver object creation
  when using multiple client sessions. The new _DNSResolverManager singleton ensures
  only one DNSResolver object is created for default configurations, significantly
  reducing resource usage and improving performance for applications using multiple
  client sessions simultaneously -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10847, :issue:10923, :issue:10946.

• Upgraded to LLHTTP 9.3.0 -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:10972.

• Optimized small HTTP requests/responses by coalescing headers and body into a single TCP packet -- by :user:bdraco.

  This change enhances network efficiency by reducing the number of packets sent for small HTTP payloads, improving latency and reducing overhead. Most importantly, this fixes compatibility with memory-constrained IoT devices that can only perform a single read operation and expect HTTP requests in one packet. The optimization uses zero-copy writelines when coalescing data and works with both regular and chunked transfer encoding.

  When aiohttp uses client middleware to communicate with an aiohttp server, connection reuse is more likely to occur since complete responses arrive in a single packet for small payloads.

  This aligns aiohttp with other popular HTTP clients that already coalesce small requests.

  Related issues and pull requests on GitHub:
  :issue:10991.

Improved documentation

• Improved documentation for middleware by adding warnings and examples about
  request body stream consumption. The documentation now clearly explains that
  request body streams can only be read once and provides best practices for
  sharing parsed request data between middleware and handlers -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:2914.

Packaging updates and notes for downstreams

• Removed non SPDX-license description from setup.cfg -- by :user:devanshu-ziphq.

  Related issues and pull requests on GitHub:
  :issue:10662.

• Added support for building against system llhttp library -- by :user:mgorny.

  This change adds support for :envvar:AIOHTTP_USE_SYSTEM_DEPS environment variable that
  can be used to build aiohttp against the system install of the llhttp library rather
  than the vendored one.

  Related issues and pull requests on GitHub:
  :issue:10759.

• aiodns is now installed on Windows with speedups extra -- by :user:bdraco.

  As of aiodns 3.3.0, SelectorEventLoop is no longer required when using pycares 4.7.0 or later.

  Related issues and pull requests on GitHub:
  :issue:10823.

• Fixed compatibility issue with Cython 3.1.1 -- by :user:bdraco

  Related issues and pull requests on GitHub:
  :issue:10877.

Contributor-facing changes

• Sped up tests by disabling blockbuster fixture for test_static_file_huge and test_static_file_huge_cancel tests -- by :user:dikos1337.

  Related issues and pull requests on GitHub:
  :issue:9705, :issue:10761.

• Updated tests to avoid using deprecated :py:mod:asyncio policy APIs and
  make it compatible with Python 3.14.

  Related issues and pull requests on GitHub:
  :issue:10851.

• Added Winloop to test suite to support in the future -- by :user:Vizonex.

  Related issues and pull requests on GitHub:
  :issue:10922.

Miscellaneous internal changes

• Added support for the partitioned attribute in the set_cookie method.

  Related issues and pull requests on GitHub:
  :issue:9870.

• Setting :attr:aiohttp.web.StreamResponse.last_modified to an unsupported type will now raise :exc:TypeError instead of silently failing -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10146.

---

v3.11.18

Compare Source

====================

Bug fixes

• Disabled TLS in TLS warning (when using HTTPS proxies) for uvloop and newer Python versions -- by :user:lezgomatt.

  Related issues and pull requests on GitHub:
  :issue:7686.

• Fixed reading fragmented WebSocket messages when the payload was masked -- by :user:bdraco.

  The problem first appeared in 3.11.17

  Related issues and pull requests on GitHub:
  :issue:10764.

---

v3.11.17

Compare Source

====================

Miscellaneous internal changes

• Optimized web server performance when access logging is disabled by reducing time syscalls -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10713.

• Improved web server performance when connection can be reused -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10714.

• Improved performance of the WebSocket reader -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10740.

• Improved performance of the WebSocket reader with large messages -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10744.

---

v3.11.16

Compare Source

====================

Bug fixes

• Replaced deprecated asyncio.iscoroutinefunction with its counterpart from inspect
  -- by :user:layday.

  Related issues and pull requests on GitHub:
  :issue:10634.

• Fixed :class:multidict.CIMultiDict being mutated when passed to :class:aiohttp.web.Response -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10672.

---

v3.11.15

Compare Source

====================

Bug fixes

• Reverted explicitly closing sockets if an exception is raised during create_connection -- by :user:bdraco.

  This change originally appeared in aiohttp 3.11.13

  Related issues and pull requests on GitHub:
  :issue:10464, :issue:10617, :issue:10656.

Miscellaneous internal changes

• Improved performance of WebSocket buffer handling -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10601.

• Improved performance of serializing headers -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10625.

---

v3.11.14

Compare Source

====================

Bug fixes

• Fixed an issue where dns queries were delayed indefinitely when an exception occurred in a trace.send_dns_cache_miss
  -- by :user:logioniz.

  Related issues and pull requests on GitHub:
  :issue:10529.

• Fixed DNS resolution on platforms that don't support socket.AI_ADDRCONFIG -- by :user:maxbachmann.

  Related issues and pull requests on GitHub:
  :issue:10542.

• The connector now raises :exc:aiohttp.ClientConnectionError instead of :exc:OSError when failing to explicitly close the socket after :py:meth:asyncio.loop.create_connection fails -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10551.

• Break cyclic references at connection close when there was a traceback -- by :user:bdraco.

  Special thanks to :user:availov for reporting the issue.

  Related issues and pull requests on GitHub:
  :issue:10556.

• Break cyclic references when there is an exception handling a request -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10569.

Features

• Improved logging on non-overlapping WebSocket client protocols to include the remote address -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10564.

Miscellaneous internal changes

• Improved performance of parsing content types by adding a cache in the same manner currently done with mime types -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10552.

---

v3.11.13

Compare Source

====================

Bug fixes

• Reverted explicitly closing sockets if an exception is raised during create_connection -- by :user:bdraco.

  This change originally appeared in aiohttp 3.11.13

  Related issues and pull requests on GitHub:
  :issue:10464, :issue:10617, :issue:10656.

Miscellaneous internal changes

• Improved performance of WebSocket buffer handling -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10601.

• Improved performance of serializing headers -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10625.

---

v3.11.12

Compare Source

====================

Bug fixes

• MultipartForm.decode() now follows RFC1341 7.2.1 with a CRLF after the boundary
  -- by :user:imnotjames.

  Related issues and pull requests on GitHub:
  :issue:10270.

• Restored the missing total_bytes attribute to EmptyStreamReader -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10387.

Features

• Updated :py:func:~aiohttp.request to make it accept _RequestOptions kwargs.
  -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  :issue:10300.

• Improved logging of HTTP protocol errors to include the remote address -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10332.

Improved documentation

• Added aiohttp-openmetrics to list of third-party libraries -- by :user:jelmer.

  Related issues and pull requests on GitHub:
  :issue:10304.

Packaging updates and notes for downstreams

• Added missing files to the source distribution to fix Makefile targets.
  Added a cythonize-nodeps target to run Cython without invoking pip to install dependencies.

  Related issues and pull requests on GitHub:
  :issue:10366.

• Started building armv7l musllinux wheels -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10404.

Contributor-facing changes

• The CI/CD workflow has been updated to use upload-artifact v4 and download-artifact v4 GitHub Actions -- by :user:silamon.

  Related issues and pull requests on GitHub:
  :issue:10281.

Miscellaneous internal changes

• Restored support for zero copy writes when using Python 3.12 versions 3.12.9 and later or Python 3.13.2+ -- by :user:bdraco.

  Zero copy writes were previously disabled due to :cve:2024-12254 which is resolved in these Python versions.

  Related issues and pull requests on GitHub:
  :issue:10137.

---

v3.11.11

Compare Source

====================

Bug fixes

• Updated :py:meth:~aiohttp.ClientSession.request to reuse the quote_cookie setting from ClientSession._cookie_jar when processing cookies parameter.
  -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  :issue:10093.

• Fixed type of SSLContext for some static type checkers (e.g. pyright).

  Related issues and pull requests on GitHub:
  :issue:10099.

• Updated :meth:aiohttp.web.StreamResponse.write annotation to also allow :class:bytearray and :class:memoryview as inputs -- by :user:cdce8p.

  Related issues and pull requests on GitHub:
  :issue:10154.

• Fixed a hang where a connection previously used for a streaming
  download could be returned to the pool in a paused state.
  -- by :user:javitonino.

  Related issues and pull requests on GitHub:
  :issue:10169.

Features

• Enabled ALPN on default SSL contexts. This improves compatibility with some
  proxies which don't work without this extension.
  -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  :issue:10156.

Miscellaneous internal changes

• Fixed an infinite loop that can occur when using aiohttp in combination
  with async-solipsism_ -- by :user:bmerry.

  .. _async-solipsism: https://github.com/bmerry/async-solipsism

  Related issues and pull requests on GitHub:
  :issue:10149.

---

v3.11.10

Compare Source

====================

Bug fixes

• Fixed race condition in :class:aiohttp.web.FileResponse that could have resulted in an incorrect response if the file was replaced on the file system during prepare -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10101, :issue:10113.

• Replaced deprecated call to :func:mimetypes.guess_type with :func:mimetypes.guess_file_type when using Python 3.13+ -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10102.

• Disabled zero copy writes in the StreamWriter -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10125.

---

v3.11.9

Compare Source

===================

Bug fixes

• Fixed invalid method logging unexpected being logged at exception level on subsequent connections -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10055, :issue:10076.

Miscellaneous internal changes

• Improved performance of parsing headers when using the C parser -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10073.

---

v3.11.8

Compare Source

===================

Miscellaneous internal changes

• Improved performance of creating :class:aiohttp.ClientResponse objects when there are no cookies -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10029.

• Improved performance of creating :class:aiohttp.ClientResponse objects -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10030.

• Improved performances of creating objects during the HTTP request lifecycle -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10037.

• Improved performance of constructing :class:aiohttp.web.Response with headers -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10043.

• Improved performance of making requests when there are no auto headers to skip -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10049.

• Downgraded logging of invalid HTTP method exceptions on the first request to debug level -- by :user:bdraco.

  HTTP requests starting with an invalid method are relatively common, especially when connected to the public internet, because browsers or other clients may try to speak SSL to a plain-text server or vice-versa. These exceptions can quickly fill the log with noise when nothing is wrong.

  Related issues and pull requests on GitHub:
  :issue:10055.

---

v3.11.7

Compare Source

===================

Bug fixes

• Fixed the HTTP client not considering the connector's force_close value when setting the Connection header -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10003.

Miscellaneous internal changes

• Improved performance of serializing HTTP headers -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10014.

---

v3.11.6

Compare Source

===================

Bug fixes

• Restored the force_close method to the ResponseHandler -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9997.

---

v3.11.5

Compare Source

===================

Bug fixes

• Fixed the ANY method not appearing in :meth:~aiohttp.web.UrlDispatcher.routes -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9899, :issue:9987.

---

v3.11.4

Compare Source

===================

Bug fixes

• Fixed StaticResource not allowing the OPTIONS method after calling set_options_route -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9972, :issue:9975, :issue:9976.

Miscellaneous internal changes

• Improved performance of creating web responses when there are no cookies -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9895.

---

v3.11.3

Compare Source

===================

Bug fixes

• Removed non-existing __author__ from dir(aiohttp) -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:9918.

• Restored the FlowControlDataQueue class -- by :user:bdraco.

  This class is no longer used internally, and will be permanently removed in the next major version.

  Related issues and pull requests on GitHub:
  :issue:9963.

Miscellaneous internal changes

• Improved performance of resolving resources when multiple methods are registered for the same route -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9899.

---

v3.11.2

Compare Source

===================

Bug fixes

• Fixed improperly closed WebSocket connections generating an unhandled exception -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9883.

---

v3.11.1

Compare Source

====================

Bug fixes

• Disabled TLS in TLS warning (when using HTTPS proxies) for uvloop and newer Python versions -- by :user:lezgomatt.

  Related issues and pull requests on GitHub:
  :issue:7686.

• Fixed reading fragmented WebSocket messages when the payload was masked -- by :user:bdraco.

  The problem first appeared in 3.11.17

  Related issues and pull requests on GitHub:
  :issue:10764.

---

v3.11.0

Compare Source

===================

Bug fixes

• Raise :exc:aiohttp.ServerFingerprintMismatch exception on client-side if request through http proxy with mismatching server fingerprint digest: aiohttp.ClientSession(headers=headers, connector=TCPConnector(ssl=aiohttp.Fingerprint(mismatch_digest), trust_env=True).request(...) -- by :user:gangj.

  Related issues and pull requests on GitHub:
  :issue:6652.

• Modified websocket :meth:aiohttp.ClientWebSocketResponse.receive_str, :py:meth:aiohttp.ClientWebSocketResponse.receive_bytes, :py:meth:aiohttp.web.WebSocketResponse.receive_str & :py:meth:aiohttp.web.WebSocketResponse.receive_bytes methods to raise new :py:exc:aiohttp.WSMessageTypeError exception, instead of generic :py:exc:TypeError, when websocket messages of incorrect types are received -- by :user:ara-25.

  Related issues and pull requests on GitHub:
  :issue:6800.

• Made TestClient.app a Generic so type checkers will know the correct type (avoiding unneeded client.app is not None checks) -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8977.

• Fixed the keep-alive connection pool to be FIFO instead of LIFO -- by :user:bdraco.

  Keep-alive connections are more likely to be reused before they disconnect.

  Related issues and pull requests on GitHub:
  :issue:9672.

Features

• Added strategy parameter to :meth:aiohttp.web.StreamResponse.enable_compression
  The value of this parameter is passed to the :func:zlib.compressobj function, allowing people
  to use a more sufficient compression algorithm for their data served by :mod:aiohttp.web
  -- by :user:shootkin

  Related issues and pull requests on GitHub:
  :issue:6257.

• Added server_hostname parameter to ws_connect.

  Related issues and pull requests on GitHub:
  :issue:7941.

• Exported :py:class:~aiohttp.ClientWSTimeout to top-level namespace -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8612.

• Added secure/httponly/samesite parameters to .del_cookie() -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8956.

• Updated :py:class:~aiohttp.ClientSession's auth logic to include default auth only if the request URL's origin matches _base_url; otherwise, the auth will not be included -- by :user:MaximZemskov

  Related issues and pull requests on GitHub:
  :issue:8966, :issue:9466.

• Added proxy and proxy_auth parameters to :py:class:~aiohttp.ClientSession -- by :user:meshya.

  Related issues and pull requests on GitHub:
  :issue:9207.

• Added default_to_multipart parameter to FormData.

  Related issues and pull requests on GitHub:
  :issue:9335.

• Added :py:meth:~aiohttp.ClientWebSocketResponse.send_frame and :py:meth:~aiohttp.web.WebSocketResponse.send_frame for WebSockets -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9348.

• Updated :py:class:~aiohttp.ClientSession to support paths in base_url parameter.
  base_url paths must end with a / -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  :issue:9530.

• Improved performance of reading WebSocket messages with a Cython implementation -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9543, :issue:9554, :issue:9556, :issue:9558, :issue:9636, :issue:9649, :issue:9781.

• Added writer_limit to the :py:class:~aiohttp.web.WebSocketResponse to be able to adjust the limit before the writer forces the buffer to be drained -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9572.

• Added an :attr:~aiohttp.abc.AbstractAccessLogger.enabled property to :class:aiohttp.abc.AbstractAccessLogger to dynamically check if logging is enabled -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9822.

Deprecations (removal in next major release)

• Deprecate obsolete timeout: float and receive_timeout: Optional[float] in :py:meth:~aiohttp.ClientSession.ws_connect. Change default websocket receive timeout from None to 10.0.

  Related issues and pull requests on GitHub:
  :issue:3945.

Removals and backward incompatible breaking changes

• Dropped support for Python 3.8 -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8797.

• Increased minimum yarl version to 1.17.0 -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:8909, :issue:9079, :issue:9305, :issue:9574.

• Removed the is_ipv6_address and is_ip4_address helpers are they are no longer used -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9344.

• Changed ClientRequest.connection_key to be a NamedTuple to improve client performance -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9365.

• FlowControlDataQueue has been replaced with the WebSocketDataQueue -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9685.

• Changed ClientRequest.request_info to be a NamedTuple to improve client performance -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9692.

Packaging updates and notes for downstreams

• Switched to using the :mod:propcache <propcache.api> package for property caching
  -- by :user:bdraco.

  The :mod:propcache <propcache.api> package is derived from the property caching
  code in :mod:yarl and has been broken out to avoid maintaining it for multiple
  projects.

  Related issues and pull requests on GitHub:
  :issue:9394.

• Separated aiohttp.http_websocket into multiple files to make it easier to maintain -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9542, :issue:9552.

Contributor-facing changes

• Changed diagram images generator from blockdiag to GraphViz.
  Generating documentation now requires the GraphViz executable to be included in $PATH or sphinx build configuration.

  Related issues and pull requests on GitHub:
  :issue:9359.

Miscellaneous internal changes

• Added flake8 settings to avoid some forms of implicit concatenation. -- by :user:booniepepper.

  Related issues and pull requests on GitHub:
  :issue:7731.

• Enabled keep-alive support on proxies (which was originally disabled several years ago) -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8920.

• Changed web entry point to not listen on TCP when only a Unix path is passed -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:9033.

• Disabled automatic retries of failed requests in :class:aiohttp.test_utils.TestClient's client session
  (which could potentially hide errors in tests) -- by :user:ShubhAgarwal-dev.

  Related issues and pull requests on GitHub:
  :issue:9141.

• Changed web keepalive_timeout default to around an hour in order to reduce race conditions on reverse proxies -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:9285.

• Reduced memory required for stream objects created during the client request lifecycle -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9407.

• Improved performance of the internal DataQueue -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9659.

• Improved performance of calling receive for WebSockets for the most common message types -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9679.

• Replace internal helper methods method_must_be_empty_body and status_code_must_be_empty_body with simple set lookups -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9722.

• Improved performance of :py:class:aiohttp.BaseConnector when there is no limit_per_host -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9756.

• Improved performance of sending HTTP requests when there is no body -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9757.

• Improved performance of the WebsocketWriter when the protocol is not paused -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9796.

• Implemented zero copy writes for StreamWriter -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9839.

---

v3.10.11

Compare Source

====================

Bug fixes

• Authentication provided by a redirect now takes precedence over provided auth when making requests with the client -- by :user:PLPeeters.

  Related issues and pull requests on GitHub:
  :issue:9436.

• Fixed :py:meth:WebSocketResponse.close() <aiohttp.web.WebSocketResponse.close> to discard non-close messages within its timeout window after sending close -- by :user:lenard-mosys.

  Related issues and pull requests on GitHub:
  :issue:9506.

• Fixed a deadlock that could occur while attempting to get a new connection slot after a timeout -- by :user:bdraco.

  The connector was not cancellation-safe.

  Related issues and pull requests on GitHub:
  :issue:9670, :issue:9671.

• Fixed the WebSocket flow control calculation undercounting with multi-byte data -- by :user:bdraco.

  Related issues and pull requests on GitHub:

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.