CVE-2026-34513 affects aiohttp, a popular asynchronous HTTP client/server framework used with Python's asyncio library. Prior to version 3.13.4, aiohttp maintained a DNS cache without imposing limits or throttling on its size. This unbounded caching behavior can cause the application to consume excessive amounts of memory if an attacker triggers numerous unique DNS lookups. Over time, this can lead to resource exhaustion, resulting in degraded performance or a denial-of-service (DoS) condition. The vulnerability is categorized under CWE-770, which involves allocation of resources without proper limits, leading to potential exhaustion. The flaw can be exploited remotely without any authentication or user interaction, making it accessible to unauthenticated attackers. The CVSS 4.0 base score is 2.7, reflecting low severity due to limited impact scope and lack of privilege escalation or confidentiality breach. The issue was publicly disclosed and patched in version 3.13.4 of aiohttp. No known active exploits have been reported. This vulnerability primarily affects applications and services that rely on aiohttp for asynchronous HTTP communication and DNS resolution, especially those exposed to untrusted networks.

The primary impact of this vulnerability is on the availability of systems running vulnerable versions of aiohttp. Excessive memory consumption caused by an unbounded DNS cache can degrade application performance, cause crashes, or lead to denial-of-service conditions. This can disrupt services relying on aiohttp, particularly web servers, microservices, or API clients that perform many DNS lookups. While the vulnerability does not affect confidentiality or integrity, the availability impact can be significant for high-traffic or critical applications. Organizations with large-scale deployments of aiohttp or those exposed to the internet are at higher risk. The lack of authentication or user interaction requirements lowers the barrier for exploitation, increasing potential exposure. However, the low CVSS score and absence of known exploits suggest limited immediate threat. Still, unpatched systems remain vulnerable to resource exhaustion attacks that could impact operational continuity.

The primary mitigation is to upgrade aiohttp to version 3.13.4 or later, where the DNS cache is properly bounded and throttled to prevent excessive memory usage. Organizations should audit their Python environments to identify aiohttp versions in use, especially in network-facing applications. For environments where immediate upgrade is not feasible, consider implementing external DNS caching or limiting DNS query rates at the network or application layer to reduce the risk of cache exhaustion. Monitoring memory usage and setting resource limits on processes running aiohttp can help detect and contain potential exploitation attempts. Additionally, applying standard network security controls such as rate limiting, firewall rules, and anomaly detection can reduce exposure to malicious DNS query floods. Developers should review their use of aiohttp DNS resolution to avoid unnecessary or excessive lookups. Finally, maintain awareness of updates from aio-libs and apply patches promptly.