CVE-2026-54277

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.
Configurations

Configuration 1 (hide)

cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*

History

30 Jun 2026, 18:11

Type Values Removed Values Added
References () https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d - () https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d - Patch
References () https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2 - () https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2 - Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Aiohttp
Aiohttp aiohttp
CPE cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*

22 Jun 2026, 18:28

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-22 18:16

Updated : 2026-06-30 18:11


NVD link : CVE-2026-54277

Mitre link : CVE-2026-54277

CVE.ORG link : CVE-2026-54277


JSON object : View

Products Affected

aiohttp

  • aiohttp
CWE
CWE-770

Allocation of Resources Without Limits or Throttling