Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file. This vulnerability is fixed in 3.14.1.
Published: 2026-06-22
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when a client disconnects during a payload write, causing the framework to leave file or other limited resources open. This temporary resource starvation can lead to denial of service if an attacker repeatedly triggers the flaw, exhausting file descriptors or other scarce resources. The weakness is a missing resource cleanup (CWE-404).

Affected Systems

aio-libs aiohttp versions earlier than 3.14.1 are affected.

Risk and Exploitability

The CVSS score of 1.7 indicates low severity, and the exploitability is limited to situations where an attacker can send requests to an aiohttp instance that uses file-based payloads. No EPSS data is available and the vulnerability is not listed in KEV, suggesting a low likelihood of current exploitation. However, because the flaw permits temporary exhaustion of system resources, careful monitoring is advised.

Generated by OpenCVE AI on June 22, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to version 3.14.1 or later.
  • If upgrade is not immediately possible, configure the server to limit concurrent connections and monitor open file descriptors to detect potential resource leaks.
  • Manually manage and close payload resources or implement a custom cleanup routine to ensure file handles are released when a client disconnects.

Generated by OpenCVE AI on June 22, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9x8q-7h8h-wcw9 aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect
History

Mon, 22 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file. This vulnerability is fixed in 3.14.1.
Title AIOHTTP: Payload Response Resources Are Not Closed After Mid-Body Disconnect
Weaknesses CWE-404
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}


Subscriptions

Aio-libs Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T18:18:21.597Z

Reserved: 2026-06-12T17:13:32.280Z

Link: CVE-2026-54280

cve-icon Vulnrichment

Updated: 2026-06-22T18:17:38.700Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T20:00:06Z

Weaknesses
  • CWE-404

    Improper Resource Shutdown or Release