CVE-2026-54278
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
In the AIOHTTP library before version 3.14.1, a vulnerability was found where a compressed request body could be decompressed into memory in one chunk during cleanup. An attacker can send a specially crafted compressed payload that, after decompression, could lead to server overload (a zip bomb edge case).
Risk Assessment
The risk involves the possibility of a DoS (Denial of Service) attack by sending a malicious compressed request that, after decompression, could significantly burden server memory, leading to its unavailability.
Recommendation
Immediately update the AIOHTTP library to version 3.14.1 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). This vulnerability is fixed in 3.14.1.

