Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.
Published: 2026-06-22
Score: 6.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AIOHTTP’s default C‑based HTTP parser ignores the max_line_size setting when handling fragmented lines; an attacker can send arbitrarily large lines that cause the parser to allocate excessive memory, eventually exhausting system resources and triggering a denial of service. The flaw is classified as CWE‑770, which describes vulnerabilities that allow arbitrary resource consumption. The security impact is limited to service availability and does not provide remote code execution or privilege escalation.

Affected Systems

The flaw affects any system that uses the aio‑libs aiohttp Python library before version 3.14.1. Applications that rely on aiohttp as an HTTP client or server component are at risk if they depend on the default C parser shipped in pre‑built wheels.

Risk and Exploitability

With a CVSS score of 6.6 the vulnerability is considered medium severity, and there is no EPSS score available to indicate current exploitation probability. The flaw is not listed in CISA KEV, but an attacker could target exposed HTTP services running aiohttp by sending crafted requests that trigger excessive memory consumption, potentially leading to crashes or requiring manual intervention to restart the service.

Generated by OpenCVE AI on June 22, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the aiohttp library to version 3.14.1 or later, which includes a fixed binning of line lengths in the C parser.
  • As an interim measure, configure aiohttp to use its pure‑Python parser by setting the use_cparser flag to False; this removes the C parser bug but may impact performance.
  • If upgrading or disabling the C parser is not immediately possible, consider implementing application‑level request size limits or network‑level rate limiting to mitigate potential DoS attempts.

Generated by OpenCVE AI on June 22, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-63hw-fmq6-xxg2 aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines
History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.
Title AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented Lines
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T16:37:28.532Z

Reserved: 2026-06-12T17:13:32.280Z

Link: CVE-2026-54277

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:45:04Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling