Impact
The vulnerability allows an HTTP request containing a compressed payload to be decompressed in a single large chunk during aiohttp’s cleanup stage. This can lead to significant memory consumption, potentially exhausting system resources and causing a denial of service. The weakness is classified as CWE-409, indicating an improper TCP/HTTP preparation exploit. While the description does not explicitly state the attacker’s attack vector, it is inferred that an attacker can send a specially crafted HTTP request to trigger the decompression.
Affected Systems
The affected vendor is aio-libs and the product is aiohttp. All releases prior to version 3.14.1 are vulnerable; the fix was introduced in 3.14.1.
Risk and Exploitability
The CVSS score of 6.6 indicates a moderate severity, and the EPSS score is not available, so the precise exploitation likelihood is unknown. The vulnerability is not listed in the CISA KEV catalog. An attacker would need network access to the aiohttp service and would trigger the vulnerability by sending a compressed request body that bypasses client size limits during cleanup. Successful exploitation could lead to a denial of service due to memory exhaustion.
OpenCVE Enrichment
Github GHSA