AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). This vulnerability is fixed in 3.14.1.
Metrics
Affected Vendors & Products
References
History
Fri, 26 Jun 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Tue, 23 Jun 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 22 Jun 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Aio-libs
Aio-libs aiohttp |
|
| Vendors & Products |
Aio-libs
Aio-libs aiohttp |
Mon, 22 Jun 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). This vulnerability is fixed in 3.14.1. | |
| Title | AIOHTTP: Unread Compressed Request Bodies Bypass client_max_size During Cleanup | |
| Weaknesses | CWE-409 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-06-22T16:38:38.838Z
Updated: 2026-06-23T16:10:36.815Z
Reserved: 2026-06-12T17:13:32.280Z
Link: CVE-2026-54278
Updated: 2026-06-23T13:51:54.336Z
No data.