Impact
The vulnerability occurs when a client disconnects during a payload write, causing the framework to leave file or other limited resources open. This temporary resource starvation can lead to denial of service if an attacker repeatedly triggers the flaw, exhausting file descriptors or other scarce resources. The weakness is a missing resource cleanup (CWE-404).
Affected Systems
aio-libs aiohttp versions earlier than 3.14.1 are affected.
Risk and Exploitability
The CVSS score of 1.7 indicates low severity, and the exploitability is limited to situations where an attacker can send requests to an aiohttp instance that uses file-based payloads. No EPSS data is available and the vulnerability is not listed in KEV, suggesting a low likelihood of current exploitation. However, because the flaw permits temporary exhaustion of system resources, careful monitoring is advised.
OpenCVE Enrichment
Github GHSA