CVE-2026-54273
Analyzed Analyzed - Analysis Complete

Memory Exhaustion in AIOHTTP via Pipelined Requests

Vulnerability report for CVE-2026-54273, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-26
Generated
2026-07-13
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
aiohttp aiohttp to 3.14.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54273 is a vulnerability in the aiohttp library, an asynchronous HTTP client/server framework for Python. Prior to version 3.14.1, aiohttp did not limit the number of pipelined HTTP/1 requests that could be queued. This means an attacker could send many pipelined requests without waiting for responses, causing the server to buffer these requests indefinitely.

Because there was no limit on queued requests, this could lead to excessive memory consumption on the server, potentially causing a denial-of-service (DoS) condition by exhausting server resources.

The vulnerability was fixed in version 3.14.1 by introducing a bounded queue mechanism that limits the number of buffered pipelined requests per connection to 32. When this limit is reached, the server stops reading new requests until the queue is processed, preventing unbounded memory growth.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial-of-service (DoS) on your aiohttp-based server or application.

By sending a large number of pipelined HTTP/1 requests without waiting for responses, an attacker can cause your server to consume excessive memory, potentially leading to resource exhaustion and service unavailability.

This can degrade the performance of your service or cause it to crash, affecting availability and reliability.

Detection Guidance

This vulnerability involves an attacker sending a large number of pipelined HTTP/1 requests to an aiohttp server, causing excessive memory usage. Detection can focus on monitoring for unusually high numbers of pipelined HTTP/1 requests or abnormal memory consumption by the aiohttp server process.

You can use network monitoring tools or packet capture utilities like tcpdump or Wireshark to identify multiple pipelined HTTP/1 requests from the same client without corresponding responses.

  • Use tcpdump to capture HTTP traffic on the server port (e.g., port 80 or 8080): tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Analyze captured traffic in Wireshark to look for multiple HTTP/1 pipelined requests sent in quick succession from the same client IP.
  • Monitor the aiohttp server process memory usage with commands like: top, htop, or ps aux --sort=-rss | grep aiohttp

If you observe a high number of pipelined requests or memory usage spikes without corresponding legitimate traffic patterns, it may indicate exploitation attempts of this vulnerability.

Mitigation Strategies

The primary mitigation step is to update the aiohttp library to version 3.14.1 or later, where this vulnerability has been fixed by introducing a limit on the number of pipelined requests buffered per connection.

Until the update can be applied, consider implementing network-level protections such as rate limiting or filtering to restrict excessive pipelined HTTP/1 requests from clients.

Monitor server resource usage closely to detect and respond to potential denial-of-service attempts.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54273. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart