CVE-2026-54273 | AIOHTTP is an asynchronous HTTP client/server framework for … | CVSS 6.6 MEDIUM

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.

Metadata

CVE ID: CVE-2026-54273
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 17:13 UTC
Published: 2026-06-22 16:41 UTC
Last updated: 2026-06-22 17:38 UTC
Primary CWE: CWE-770
CWE-770: Allocation of Resources Without Limits or Throttlin…
Vendor / Product: aio-libs / aiohttp
Sources: cve.org · NVD

Severity & Metrics

6.6 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
aio-libs	aiohttp	—	< 3.14.1

Weakness (CWE)

CWE	Source	Description
CWE-770	cna	CWE-770: Allocation of Resources Without Limits or Throttling

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.6	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References (2)

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-4fvr-rgm6-gqmc https://github.com/aio-libs/aiohttp/security/advisories/GHSA-4fvr-rgm6-gqmc
https://github.com/aio-libs/aiohttp/commit/dfdfa9d5aad5d21f91c79fb2ceeba0f8046cb6cf https://github.com/aio-libs/aiohttp/commit/dfdfa9d5aad5d21f91c79fb2ceeba0f8046cb6cf