← volver
CVE-2026-54277

AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented Lines

CVSS 6.6 MEDIUMEPSS 0.3%CWE-770
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
Productos afectados
aio-libs · aiohttp

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804dhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2