Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched in version 3.13.4.
Published: 2026-04-01
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

AIOHTTP allows an attacker to send a response with an excessive number of multipart headers. Because the framework does not enforce a limit, it allocates memory proportional to the header count, leading to possible memory exhaustion and a denial‑of‑service condition. The defect is a memory allocation flaw as identified by CWE‑770.

Affected Systems

The vulnerability affects all releases of aio-libs aiohttp older than version 3.13.4. The fix was introduced in v3.13.4, which validates multipart header counts before processing.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity, and no EPSS score is available. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred from the description: an attacker would send a crafted HTTP response containing thousands of multipart headers to a server running an affected aiohttp instance, which is feasible over the network and does not require local code execution.

Generated by OpenCVE AI on April 2, 2026 at 02:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to 3.13.4 or later.
  • If an immediate upgrade is not possible, implement monitoring and throttling of incoming requests with unusually large multipart header counts.

Generated by OpenCVE AI on April 2, 2026 at 02:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m5qp-6w8w-w647 AIOHTTP has a Multipart Header Size Bypass
History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Aiohttp
Aiohttp aiohttp
CPEs cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Vendors & Products Aiohttp
Aiohttp aiohttp

Sat, 04 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched in version 3.13.4.
Title AIOHTTP: Multipart Header Size Bypass
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Aio-libs Aiohttp
Aiohttp Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-04T03:11:58.583Z

Reserved: 2026-03-30T16:03:31.047Z

Link: CVE-2026-34516

cve-icon Vulnrichment

Updated: 2026-04-04T03:11:52.806Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:16:59.723

Modified: 2026-04-15T13:57:47.433

Link: CVE-2026-34516

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-01T20:13:04Z

Links: CVE-2026-34516 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:16:42Z

Weaknesses