CVE Catalog

CVE-2026-54277

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

In the AIOHTTP library before version 3.14.1, a vulnerability allows bypassing the max_line_size check in HTTP requests when using the optimized C parser. An attacker can send oversized lines, causing excessive memory consumption and potentially leading to a DoS attack.

Risk Assessment

The organization is at risk of memory exhaustion on the server, which can result in service disruption (DoS) and loss of application availability for users.

Recommendation

Immediately update the AIOHTTP library to version 3.14.1 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS