PyPI: aiohttp
CVE-2026-22815
Safety vulnerability ID: SFTY-20260401-83301
### Summary Insufficient restrictions in header/trailer handling could cause uncapped memory usage. ### Impact An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration. ----- Patch: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36
Overview
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
Advisory
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260401-83301/CVE-2026-22815
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-w2fm-2cpv-w7v5
- https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36
- https://nvd.nist.gov/vuln/detail/CVE-2026-22815
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
- https://github.com/advisories/GHSA-w2fm-2cpv-w7v5
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more