CVE-2026-34513
HIGHAIOHTTP: Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
Title source: cnaDescription
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hcc4-c3v8-rx92
X_Refsource_Misc x_refsource_misc
https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98
X_Refsource_Misc x_refsource_misc
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
Scores
CVSS v3
7.5
EPSS
0.0044
EPSS Percentile
34.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (3)
aio-libs/aiohttp
< 3.13.4
aiohttp/aiohttp
< 3.13.4
pypi/aiohttp
0 - 3.13.4PyPI
Published
Apr 01, 2026
Tracked Since
Apr 02, 2026