CVE Catalog

CVE-2026-54273

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

In the AIOHTTP library before version 3.14.1, there was no limit on the number of pipelined requests that could be queued. An attacker can exploit this to cause excessive memory usage, potentially leading to a DoS attack.

Risk Assessment

The lack of a limit on pipelined requests may allow an attacker to send a large number of requests, leading to server memory exhaustion and service disruption.

Recommendation

Immediately update the AIOHTTP library to version 3.14.1 or later, which includes a fix limiting the number of pipelined requests.

Original NVD description (English source)

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS