AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.
Title AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented Lines
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-22T16:37:28.532Z

Updated: 2026-06-23T16:10:22.363Z

Reserved: 2026-06-12T17:13:32.280Z

Link: CVE-2026-54277

cve-icon Vulnrichment

Updated: 2026-06-23T14:48:12.607Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T16:37:28Z

Links: CVE-2026-54277 - Bugzilla