CVE-2026-22815
HIGHAIOHTTP: Uncapped memory usage possible through aiohttp allowing unlimited trailer headers
Title source: cnaDescription
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-w2fm-2cpv-w7v5
X_Refsource_Misc x_refsource_misc
https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36
X_Refsource_Misc x_refsource_misc
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
Scores
CVSS v3
7.5
EPSS
0.0044
EPSS Percentile
34.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
CWE-770
Status
published
Products (3)
aio-libs/aiohttp
< 3.13.4
aiohttp/aiohttp
< 3.13.4
pypi/aiohttp
0 - 3.13.4PyPI
Published
Apr 01, 2026
Tracked Since
Apr 02, 2026