Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.
Published: 2026-06-22
Score: 6.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The AIOHTTP framework processes HTTP/1 pipelined requests without setting an upper bound. When a client sends many pipelined requests in a single TCP connection, the server queues them indefinitely. Each queued request consumes memory for the request buffer, parsing state, and response preparation. An attacker who repeatedly issues pipelined requests can cause the server process to consume excessive memory, eventually crashing or becoming unresponsive. This flaw is a classical resource exhaustion problem, identified as CWE‑770. The primary consequence is denial of service; no direct impact on confidentiality or integrity is described.

Affected Systems

All versions of AIOHTTP prior to 3.14.1 are vulnerable. This includes every pipelined HTTP/1 implementation distributed by aio-libs. Deployments using AIOHTTP 3.x up through 3.13.xx, or any 3.13.x series, are affected. The vulnerability has been patched in release 3.14.1 and later.

Risk and Exploitability

The CVSS base score of 6.6 indicates a moderate severity. EPSS is not available, so the current estimated exploitation probability cannot be quantified. The flaw is listed as not in CISA KEV. The attack likely requires network access to the AIOHTTP server and the ability to send a large number of pipelined HTTP/1 requests. No authentication or privilege is required, so any external actor can exploit the issue. Given the lack of mitigation in older releases, the risk remains significant until a patch is applied.

Generated by OpenCVE AI on June 22, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AIOHTTP package to version 3.14.1 or later to apply the fix that limits queued pipelined requests.
  • If an immediate upgrade is not feasible, implement network‑level controls that restrict the number of concurrent pipelined requests, such as a reverse proxy or load balancer configuration, to prevent memory exhaustion.
  • Add application‑level monitoring of memory usage for AIOHTTP worker processes and set alerts to detect sudden memory growth, allowing rapid response before a full DoS occurs.

Generated by OpenCVE AI on June 22, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4fvr-rgm6-gqmc aiohttp: HTTP/1 Pipelined Requests Queue Without Limit
History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.
Title AIOHTTP: HTTP/1 Pipelined Requests Queue Without Limit
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:38:06.286Z

Reserved: 2026-06-12T17:13:32.280Z

Link: CVE-2026-54273

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling