CVE-2026-54273
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
In the AIOHTTP library before version 3.14.1, there was no limit on the number of pipelined requests that could be queued. An attacker can exploit this to cause excessive memory usage, potentially leading to a DoS attack.
Risk Assessment
The lack of a limit on pipelined requests may allow an attacker to send a large number of requests, leading to server memory exhaustion and service disruption.
Recommendation
Immediately update the AIOHTTP library to version 3.14.1 or later, which includes a fix limiting the number of pipelined requests.
Original NVD description (English source)
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.

