PyPI: aiohttp

CVE-2026-34517

Safety vulnerability ID: SFTY-20260401-00930

Safety legacy ID: pyup.io-91424

Affected versions of the aiohttp package are vulnerable to Denial of Service due to late enforcement of the client_max_size limit on non-file multipart form fields. When an application uses Request.post() to parse multipart data, the entire field content is read into memory before the size check is applied, allowing oversized payloads to cause significant temporary memory allocation. An attacker can exploit this by sending specially crafted multipart requests to exhaust server memory and degrade service availability.

PythonPyPINVDNVDGitHubGHSA
Created at: May 22, 2026Updated at: May 22, 2026

Overview

AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

Advisory

Affected versions of the aiohttp package are vulnerable to Denial of Service due to late enforcement of the client_max_size limit on non-file multipart form fields. When an application uses Request.post() to parse multipart data, the entire field content is read into memory before the size check is applied, allowing oversized payloads to cause significant temporary memory allocation. An attacker can exploit this by sending specially crafted multipart requests to exhaust server memory and degrade service availability.

Affected Package

Affecting aiohttp package, versions
<=3.13.3

Also affects

---

How to Fix

Upgrade
aiohttp
to
3.13.4
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more