Insufficient Header Handling in AIOHTTP Framework Leading to Memory Issues
CVE-2026-22815

6.9MEDIUM

Key Information:

Vendor

Aio-libs

Status
Aiohttp
Vendor
CVE Published:
1 April 2026

What is CVE-2026-22815?

AIOHTTP, an asynchronous HTTP client/server framework utilized in Python applications, exhibits a vulnerability due to insufficient restrictions in handling headers and trailers. This design flaw can lead to unbounded memory usage, potentially resulting in Denial of Service (DoS) conditions if exploited. The issue has been addressed in version 3.13.4, where the necessary safeguards to control memory allocation and management in response to header data have been implemented.

Affected Version(s)

aiohttp < 3.13.4

References

https://github.com/aio-libs/aiohttp/security/advisories/G...
x_refsource_CONFIRM
https://github.com/aio-libs/aiohttp/commit/0c2e9da5112623...
x_refsource_MISC
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.