CVE-2026-54274
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
A vulnerability in AIOHTTP before version 3.14.1 allows an attacker to bypass memory limits by sending large incomplete WebSocket frame payloads. This can lead to excessive memory consumption and potential server resource exhaustion.
Risk Assessment
An attacker can cause server memory exhaustion, leading to denial of service (DoS) and potential application destabilization.
Recommendation
Immediately update the AIOHTTP library to version 3.14.1 or later, which includes a fix limiting the size of WebSocket frame payloads.
Original NVD description (English source)
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1.

