AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). This vulnerability is fixed in 3.14.1.
References
| Link | Resource |
|---|---|
| https://github.com/aio-libs/aiohttp/commit/4f7480e474cccc6a8cc2c92ad3f17a31dedf8232 | Patch |
| https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g3cq-j2xw-wf74 | Third Party Advisory |
Configurations
History
26 Jun 2026, 19:27
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:* | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| References | () https://github.com/aio-libs/aiohttp/commit/4f7480e474cccc6a8cc2c92ad3f17a31dedf8232 - Patch | |
| References | () https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g3cq-j2xw-wf74 - Third Party Advisory | |
| First Time |
Aiohttp
Aiohttp aiohttp |
22 Jun 2026, 18:28
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-22 18:16
Updated : 2026-06-26 19:27
NVD link : CVE-2026-54278
Mitre link : CVE-2026-54278
CVE.ORG link : CVE-2026-54278
JSON object : View
Products Affected
aiohttp
- aiohttp
CWE
CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
