Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1.
Published: 2026-06-22
Score: 6.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an attacker to send large, incomplete WebSocket frames that bypass the framework’s configured memory size checks. The result is that the server can consume more memory than intended, potentially exhausting available resources and degrading or halting service availability. The weakness is a classic resource exhaustion issue (CWE-770).

Affected Systems

The affected product is the aio-libs AIOHTTP framework, versions earlier than 3.14.1. Systems running any of those versions are susceptible, regardless of platform or deployment environment.

Risk and Exploitability

The CVSS score of 6.6 reflects a moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, indicating low documented exploitation. Attackers would need remote access via a WebSocket connection to the vulnerable service. If exploited, a single attacker could consume a significant fraction of the host’s memory, leading to service interruption. The lack of an exploited reference suggests the attack path is not widely used yet, but the risk remains due to the potential for denial of service.

Generated by OpenCVE AI on June 22, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AIOHTTP version 3.14.1 or later, which implements proper payload size validation.
  • If an upgrade is not immediately possible, restrict WebSocket connections to trusted networks only and consider inserting application layer limits on payload sizes.
  • Replace or upgrade the library to an alternative that enforces strict memory limits for WebSocket frames.

Generated by OpenCVE AI on June 22, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xcgm-r5h9-7989 aiohttp: Incomplete websocket frame payloads bypass memory limits
History

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1.
Title AIOHTTP: Incomplete websocket frame payloads bypass memory limits
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T18:14:44.845Z

Reserved: 2026-06-12T17:13:32.280Z

Link: CVE-2026-54274

cve-icon Vulnrichment

Updated: 2026-06-22T18:14:27.494Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling