Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). This vulnerability is fixed in 3.14.1.
Published: 2026-06-22
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an HTTP request containing a compressed payload to be decompressed in a single large chunk during aiohttp’s cleanup stage. This can lead to significant memory consumption, potentially exhausting system resources and causing a denial of service. The weakness is classified as CWE-409, indicating an improper TCP/HTTP preparation exploit. While the description does not explicitly state the attacker’s attack vector, it is inferred that an attacker can send a specially crafted HTTP request to trigger the decompression.

Affected Systems

The affected vendor is aio-libs and the product is aiohttp. All releases prior to version 3.14.1 are vulnerable; the fix was introduced in 3.14.1.

Risk and Exploitability

The CVSS score of 6.6 indicates a moderate severity, and the EPSS score is not available, so the precise exploitation likelihood is unknown. The vulnerability is not listed in the CISA KEV catalog. An attacker would need network access to the aiohttp service and would trigger the vulnerability by sending a compressed request body that bypasses client size limits during cleanup. Successful exploitation could lead to a denial of service due to memory exhaustion.

Generated by OpenCVE AI on June 22, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to version 3.14.1 or later.
  • If an upgrade is not immediately possible, configure the application to reject or limit request bodies before they reach aiohttp’s cleanup logic, ensuring compression checks are performed early.
  • Apply external request size limits, such as configuring a web server or reverse proxy to enforce stricter maximum body sizes for incoming requests.

Generated by OpenCVE AI on June 22, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g3cq-j2xw-wf74 aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). This vulnerability is fixed in 3.14.1.
Title AIOHTTP: Unread Compressed Request Bodies Bypass client_max_size During Cleanup
Weaknesses CWE-409
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}


Subscriptions

Aio-libs Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T16:10:36.815Z

Reserved: 2026-06-12T17:13:32.280Z

Link: CVE-2026-54278

cve-icon Vulnrichment

Updated: 2026-06-23T13:51:54.336Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T16:38:38Z

Links: CVE-2026-54278 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T20:00:06Z

Weaknesses
  • CWE-409

    Improper Handling of Highly Compressed Data (Data Amplification)