Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.
Published: 2026-04-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Exhaustion
Action: Immediate Patch
AI Analysis

Impact

An asynchronous HTTP client/server framework for Python, called AIOHTTP, had insufficient limits on trailer headers. The flaw permits a client to send an unlimited number of trailer headers, so unbounded memory allocations can occur. This results in memory exhaustion that can lead to crashes or denial of service for legitimate traffic. The weakness maps to CWE‑400 and CWE‑770.

Affected Systems

The vulnerability affects the aio-libs aiohttp package in all releases prior to version 3.13.4. Versions up to and including 3.13.3 are impacted. Upgrading to 3.13.4 or later resolves the issue.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1% suggests low current exploit activity. The vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that an attacker can trigger the flaw by sending crafted HTTP requests containing an excessively large number of trailer headers from a remote host. If exploited, memory consumption can grow without bound, potentially exhausting system resources and causing service interruption.

Generated by OpenCVE AI on April 6, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update aiohttp to v3.13.4 or later.
  • If upgrading is not immediately possible, configure a reverse proxy or load balancer to limit the size or number of HTTP trailer headers.
  • Monitor application memory usage and set alerts for abnormal increases.

Generated by OpenCVE AI on April 6, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w2fm-2cpv-w7v5 aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
History

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Aiohttp
Aiohttp aiohttp
CPEs cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Vendors & Products Aiohttp
Aiohttp aiohttp

Sat, 04 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.
Title AIOHTTP: Uncapped memory usage possible through aiohttp allowing unlimited trailer headers
Weaknesses CWE-400
CWE-770
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Aio-libs Aiohttp
Aiohttp Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-04T03:10:24.396Z

Reserved: 2026-01-09T22:50:10.288Z

Link: CVE-2026-22815

cve-icon Vulnrichment

Updated: 2026-04-04T03:10:17.025Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:16:58.513

Modified: 2026-04-06T16:48:48.530

Link: CVE-2026-22815

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-01T20:08:08Z

Links: CVE-2026-22815 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:30Z

Weaknesses