CVE-2026-34517

LOW2.7Denial of service

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

Low

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Unchanged

Affected products

aio-libs / aiohttp< 3.13.4 – < 3.13.4

References

VENDOR_ADVISORYhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-3wq7-rqq7-wx6j
PATCHhttps://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145
PATCHhttps://github.com/aio-libs/aiohttp/releases/tag/v3.13.4