Threat Intelligence Database

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file. This vulnerability is fixed in 3.14.1.

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save() and then restored later with CookieJar.load() lose their host-only status. This vulnerability is fixed in 3.14.1.

CVE-2026-54278 is a medium severity vulnerability in aiohttp, an asynchronous HTTP client/server framework for Python. Versions prior to 3.14.1 may decompress a compressed request body into memory in one chunk during cleanup, which can lead to excessive memory consumption. This behavior can be exploited by sending a specially crafted compressed payload, potentially causing a denial of service (DoS) via a zip bomb-like data amplification. The issue is fixed in version 3.14.1.

CVE-2026-54277 affects aiohttp, an asynchronous HTTP client/server framework for Python. Versions prior to 3.14.1 allow bypassing the max_line_size check in parts of an HTTP request when using the default optimized C parser. This can lead to processing oversized HTTP request lines, resulting in excessive memory consumption and potential denial of service. The vulnerability is fixed in version 3.14.1.

AIOHTTP versions prior to 3.14.1 contain a vulnerability in DigestAuthMiddleware where an authentication response can be sent after following a cross-origin redirect. This may expose sensitive information such as user credentials if an attacker exploits an open redirect on the target domain. The vulnerability is fixed in version 3.14.1.

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an application makes multiple requests to the same domain, but with different per-request server_hostname parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check. This vulnerability is fixed in 3.14.1.

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1.

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request. This vulnerability is fixed in 3.14.0.

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable.