CVE-2026-54278

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). This vulnerability is fixed in 3.14.1.
Configurations

Configuration 1 (hide)

cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*

History

26 Jun 2026, 19:27

Type Values Removed Values Added
CPE cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
References () https://github.com/aio-libs/aiohttp/commit/4f7480e474cccc6a8cc2c92ad3f17a31dedf8232 - () https://github.com/aio-libs/aiohttp/commit/4f7480e474cccc6a8cc2c92ad3f17a31dedf8232 - Patch
References () https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g3cq-j2xw-wf74 - () https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g3cq-j2xw-wf74 - Third Party Advisory
First Time Aiohttp
Aiohttp aiohttp

22 Jun 2026, 18:28

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-22 18:16

Updated : 2026-06-26 19:27


NVD link : CVE-2026-54278

Mitre link : CVE-2026-54278

CVE.ORG link : CVE-2026-54278


JSON object : View

Products Affected

aiohttp

  • aiohttp
CWE
CWE-409

Improper Handling of Highly Compressed Data (Data Amplification)