CVE-2026-34517
Memory Exhaustion Vulnerability in aiohttp Multipart Form Handling
Publication date: 2026-04-01
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aiohttp | aiohttp | to 3.13.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the aiohttp framework, an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, aiohttp would read the entire content of some multipart form fields into memory before enforcing the client_max_size limit. This means that large multipart form fields could be fully loaded into memory even if they exceeded the configured maximum size, potentially leading to excessive memory usage.
The issue was fixed in version 3.13.4 by changing the behavior to check the client_max_size limit before reading the entire field into memory.
How can this vulnerability impact me? :
This vulnerability can impact you by causing your application to consume excessive memory when processing multipart form data. Since aiohttp reads the entire field into memory before checking the size limit, an attacker could send very large multipart form fields that exceed the intended maximum size, potentially leading to increased memory usage, degraded performance, or even denial of service due to resource exhaustion.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade aiohttp to version 3.13.4 or later, where the issue has been patched.