Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3.

Related CPE's

a

aiohttp

aiohttp

Vulnerable

References

https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229

Patch

https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712

Patch

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq

Vendor AdvisoryPatch

Weaknesses

[email protected]

Primary
CWE-770

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 · High

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2026-01-06T00:15:48.347Z

1 week ago

Last modified

2026-01-14T19:17:34.960Z

1 hour ago