CVE Catalog

CVE-2026-54278

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

In the AIOHTTP library before version 3.14.1, a vulnerability was found where a compressed request body could be decompressed into memory in one chunk during cleanup. An attacker can send a specially crafted compressed payload that, after decompression, could lead to server overload (a zip bomb edge case).

Risk Assessment

The risk involves the possibility of a DoS (Denial of Service) attack by sending a malicious compressed request that, after decompression, could significantly burden server memory, leading to its unavailability.

Recommendation

Immediately update the AIOHTTP library to version 3.14.1 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). This vulnerability is fixed in 3.14.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS