Impact
AIOHTTP’s default C‑based HTTP parser ignores the max_line_size setting when handling fragmented lines; an attacker can send arbitrarily large lines that cause the parser to allocate excessive memory, eventually exhausting system resources and triggering a denial of service. The flaw is classified as CWE‑131 and CWE‑770, which describe vulnerabilities that allow incorrect buffer length calculation and arbitrary resource consumption. The security impact is limited to service availability and does not provide remote code execution or privilege escalation.
Affected Systems
The flaw affects any system that uses the aio‑libs aiohttp Python library before version 3.14.1. Applications that rely on aiohttp as an HTTP client or server component are at risk if they depend on the default C parser shipped in pre‑built wheels.
Risk and Exploitability
With a CVSS score of 6.6, the vulnerability has moderate severity. The EPSS score is reported as < 1 %, indicating a very low exploitation probability. The flaw is classified as CWE‑131 and CWE‑770, and it is not listed in CISA KEV. An attacker could target exposed HTTP services running aiohttp by sending crafted requests that trigger excessive memory consumption, potentially leading to crashes or requiring manual intervention to restart the service.
OpenCVE Enrichment
Github GHSA