Dang; I found and reported this vulnerability on June 5 (after this report was made, but before it was made public or patched), and was told that they were already aware of the bug and working on a fix. I didn't realize I'd been beaten by only 10 days!<p><a href="https://github.com/aio-libs/aiohttp/issues/7312">https://github.com/aio-libs/aiohttp/issues/7312</a>
<a href="https://github.com/nodejs/premature-disclosures/issues/4">https://github.com/nodejs/premature-disclosures/issues/4</a>