CVE-2026-54277 | AIOHTTP is an asynchronous HTTP client/server framework for … | CVSS 6.6 MEDIUM

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.

Metadata

CVE ID: CVE-2026-54277
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 17:13 UTC
Published: 2026-06-22 16:37 UTC
Last updated: 2026-06-22 16:37 UTC
Primary CWE: CWE-770
CWE-770: Allocation of Resources Without Limits or Throttlin…
Vendor / Product: aio-libs / aiohttp
Sources: cve.org · NVD

Severity & Metrics

6.6 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

Affected products (1)

Vendor	Product	Platform	Versions
aio-libs	aiohttp	—	< 3.14.1

Weakness (CWE)

CWE	Source	Description
CWE-770	cna	CWE-770: Allocation of Resources Without Limits or Throttling

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.6	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References (2)

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2
https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d