Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.
Published: 2026-04-01
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (memory exhaustion)
Action: Patch Now
AI Analysis

Impact

The vulnerability lies in AIOHTTP’s DNS cache handling; before version 3.13.4 the cache expands unbounded as new DNS queries arrive. This unchecked growth can drain the Python process’s memory, leading to crashes or refusal of new requests, which presents as a denial of service. The weakness is classified as CWE‑770, indicating excessive resource consumption.

Affected Systems

All installations of aio-libs AIOHTTP earlier than version 3.13.4 are vulnerable. The issue affects Python developers and system administrators using the library as an asynchronous HTTP client or server framework for asyncio. No additional vendors or products are mentioned.

Risk and Exploitability

With a CVSS score of 2.7 the vulnerability is low in severity and expected exploitation difficulty. EPSS data are not released and the issue is not listed in CISA’s KEV catalog, implying limited or no known exploitation in the wild. The likely attack vector is network‑based: an actor can provoke cache overflow by issuing many distinct host queries through the affected AIOHTTP instance. While the vulnerability does not provide arbitrary code execution, the memory exhaustion can degrade service availability and impact dependent applications.

Generated by OpenCVE AI on April 2, 2026 at 02:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to version 3.13.4 or later.

Generated by OpenCVE AI on April 2, 2026 at 02:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hcc4-c3v8-rx92 AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Aiohttp
Aiohttp aiohttp
CPEs cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Vendors & Products Aiohttp
Aiohttp aiohttp
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Low

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.
Title AIOHTTP: Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Aio-libs Aiohttp
Aiohttp Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:24:25.476Z

Reserved: 2026-03-30T16:03:31.047Z

Link: CVE-2026-34513

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:16:59.267

Modified: 2026-04-15T14:16:06.307

Link: CVE-2026-34513

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-01T20:06:13Z

Links: CVE-2026-34513 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:16:46Z

Weaknesses