CVE-2026-34517
MEDIUMAIOHTTP: Late size enforcement for non-file multipart fields causes memory DoS
Title source: cnaDescription
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-3wq7-rqq7-wx6j
X_Refsource_Misc x_refsource_misc
https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145
X_Refsource_Misc x_refsource_misc
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
Scores
CVSS v3
5.3
EPSS
0.0038
EPSS Percentile
30.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (3)
aio-libs/aiohttp
< 3.13.4
aiohttp/aiohttp
< 3.13.4
pypi/aiohttp
0 - 3.13.4PyPI
Published
Apr 01, 2026
Tracked Since
Apr 02, 2026