Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.
Published: 2026-04-01
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Memory DoS
Action: Patch
AI Analysis

Impact

AIOHTTP reads entire multipart form data fields into memory before validating them against the configured client_max_size limit. This behavior enables an attacker to submit overly large fields that consume excessive server memory, causing performance degradation or a crash and resulting in a denial of service for legitimate users. The impact is a resource exhaustion vulnerability classified under CWE‑770 with a CVSS score of 2.7.

Affected Systems

The vulnerable component is the aio-libs aiohttp framework. All installations of aiohttp prior to version 3.13.4 are affected. Applications that expose HTTP endpoints using this library, whether as a web framework or as an HTTP client handling multipart data, are at risk.

Risk and Exploitability

Based on the description, it is inferred that an attacker can remotely send specially crafted HTTP requests to a server that uses a vulnerable aiohttp instance. The low CVSS score and the absence of an EPSS metric suggest a moderate overall risk, but the lack of a current Public Exploit Means the threat is likely limited to environments where the server accepts multipart form data. The vulnerability is not listed in CISA’s KEV catalog, indicating no known large‑scale exploitation. Nevertheless, when a single client can exhaust server memory, the denial of service impact can be significant for critical services.

Generated by OpenCVE AI on April 2, 2026 at 02:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to version 3.13.4 or later
  • Configure the server’s client_max_size setting to an appropriate limit
  • Verify that all applications using aiohttp have been updated

Generated by OpenCVE AI on April 2, 2026 at 02:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3wq7-rqq7-wx6j AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Aiohttp
Aiohttp aiohttp
CPEs cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Vendors & Products Aiohttp
Aiohttp aiohttp
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Low

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.
Title AIOHTTP: Late size enforcement for non-file multipart fields causes memory DoS
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Aio-libs Aiohttp
Aiohttp Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:24:18.699Z

Reserved: 2026-03-30T16:03:31.047Z

Link: CVE-2026-34517

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:16:59.870

Modified: 2026-04-15T13:54:53.970

Link: CVE-2026-34517

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-01T20:14:15Z

Links: CVE-2026-34517 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:16:41Z

Weaknesses