CVE Catalog

CVE-2026-54274

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

22th percentile — higher than 22% of all known CVEs

Summary

A vulnerability in AIOHTTP before version 3.14.1 allows an attacker to bypass memory limits by sending large incomplete WebSocket frame payloads. This can lead to excessive memory consumption and potential server resource exhaustion.

Risk Assessment

An attacker can cause server memory exhaustion, leading to denial of service (DoS) and potential application destabilization.

Recommendation

Immediately update the AIOHTTP library to version 3.14.1 or later, which includes a fix limiting the size of WebSocket frame payloads.

Original NVD description (English source)

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS