PyPI: aiohttp

CVE-2026-34516

Safety vulnerability ID: SFTY-20260401-56057

Safety legacy ID: pyup.io-91410

Affected versions of the aiohttp package are vulnerable to Denial of Service due to insufficient size restrictions on multipart headers. Multipart headers were not subject to the same memory limits enforced for standard HTTP headers, allowing an attacker to send a response containing an excessive number of multipart headers that consume significantly more memory than intended. An attacker could exploit this by crafting a specially formed multipart response to exhaust server memory resources, potentially degrading or disrupting service availability.

PythonPyPINVDNVDGitHubGHSA
Created at: May 22, 2026Updated at: May 22, 2026

Overview

AIOHTTP has a Multipart Header Size Bypass

Advisory

Affected versions of the aiohttp package are vulnerable to Denial of Service due to insufficient size restrictions on multipart headers. Multipart headers were not subject to the same memory limits enforced for standard HTTP headers, allowing an attacker to send a response containing an excessive number of multipart headers that consume significantly more memory than intended. An attacker could exploit this by crafting a specially formed multipart response to exhaust server memory resources, potentially degrading or disrupting service availability.

Affected Package

Affecting aiohttp package, versions
<=3.13.3

Also affects

---

How to Fix

Upgrade
aiohttp
to
3.13.4
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more