CVE-2026-34513 Overview
AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, contains a resource exhaustion vulnerability in versions prior to 3.13.4. The vulnerability stems from an unbounded DNS cache implementation that allows excessive memory usage, potentially resulting in a Denial of Service (DoS) condition. This issue affects applications using AIOHTTP's DNS caching functionality without size constraints, allowing attackers to trigger memory exhaustion by forcing the cache to grow indefinitely.
Critical Impact
Unbounded DNS cache growth can lead to memory exhaustion and service unavailability in Python applications using AIOHTTP for HTTP client/server operations.
Affected Products
- AIOHTTP versions prior to 3.13.4
- Python applications utilizing AIOHTTP's TCPConnector with DNS caching enabled
- Asyncio-based HTTP services built on vulnerable AIOHTTP versions
Discovery Timeline
- 2026-04-01 - CVE-2026-34513 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34513
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue lies in the _DNSCacheTable class within AIOHTTP's connector module, which previously implemented DNS caching without any upper bound on the number of cached entries. When an application resolves DNS names through AIOHTTP's connection infrastructure, resolved addresses are stored in an internal dictionary without size constraints.
In scenarios where an attacker can influence or trigger DNS resolution for a large number of unique hostnames, the cache grows unbounded, consuming increasing amounts of memory. This is particularly problematic for applications that handle requests to numerous distinct domains or where user input influences DNS resolution targets.
Root Cause
The root cause is the absence of a maximum size limit in the _DNSCacheTable implementation. The original code used a standard Python dictionary (Dict) to store cached DNS entries with no eviction policy or size constraints. Without bounds checking, each unique hostname-port combination added to the cache persists indefinitely (or until TTL expiration if configured), allowing memory consumption to grow linearly with the number of unique DNS lookups.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker can exploit this vulnerability by:
- Identifying an application using vulnerable AIOHTTP versions for outbound HTTP requests
- Causing the application to make requests to numerous unique hostnames (e.g., through user-controlled URLs, redirect chains, or API endpoints that accept external URLs)
- Forcing the DNS cache to accumulate entries until available memory is exhausted
- Triggering a denial of service when the Python process runs out of memory
class _DNSCacheTable:
- def __init__(self, ttl: Optional[float] = None) -> None:
- self._addrs_rr: Dict[Tuple[str, int], Tuple[Iterator[ResolveResult], int]] = {}
+ def __init__(self, ttl: Optional[float] = None, max_size: int = 1000) -> None:
+ self._addrs_rr: OrderedDict[
+ Tuple[str, int], Tuple[Iterator[ResolveResult], int]
+ ] = OrderedDict()
self._timestamps: Dict[Tuple[str, int], float] = {}
self._ttl = ttl
+ self._max_size = max_size
def __contains__(self, host: object) -> bool:
return host in self._addrs_rr
def add(self, key: Tuple[str, int], addrs: List[ResolveResult]) -> None:
+ if key in self._addrs_rr:
+ self._addrs_rr.move_to_end(key)
+
self._addrs_rr[key] = (cycle(addrs), len(addrs))
if self._ttl is not None:
self._timestamps[key] = monotonic()
+ if len(self._addrs_rr) > self._max_size:
+ oldest_key, _ = self._addrs_rr.popitem(last=False)
+ self._timestamps.pop(oldest_key, None)
+
def remove(self, key: Tuple[str, int]) -> None:
Source: GitHub Commit Details
Detection Methods for CVE-2026-34513
Indicators of Compromise
- Gradual memory consumption increase in Python processes running AIOHTTP-based applications
- Unusually high number of unique DNS resolution requests in application logs
- Out-of-memory (OOM) errors or process termination events in AIOHTTP services
- Application slowdown or unresponsiveness correlating with memory pressure
Detection Strategies
- Monitor Python process memory usage metrics for AIOHTTP applications and alert on sustained growth patterns
- Implement application-level logging to track DNS cache statistics and unique hostname counts
- Review application logs for patterns indicating attempts to trigger requests to numerous distinct domains
- Use dependency scanning tools to identify applications running AIOHTTP versions prior to 3.13.4
Monitoring Recommendations
- Configure memory usage thresholds and alerts for production AIOHTTP services
- Implement rate limiting on endpoints that perform outbound HTTP requests to user-controlled URLs
- Deploy application performance monitoring (APM) tools to track DNS resolution patterns and cache behavior
- Establish baseline memory consumption metrics to detect anomalous growth trends
How to Mitigate CVE-2026-34513
Immediate Actions Required
- Upgrade AIOHTTP to version 3.13.4 or later immediately
- Review all Python applications for AIOHTTP dependencies and prioritize patching internet-facing services
- Implement network-level rate limiting for applications that cannot be immediately patched
- Consider disabling DNS caching temporarily in AIOHTTP TCPConnector configurations as a short-term measure
Patch Information
The vulnerability has been patched in AIOHTTP version 3.13.4. The fix introduces a max_size parameter (defaulting to 1000 entries) for the _DNSCacheTable class and implements an LRU-style eviction policy using Python's OrderedDict. When the cache exceeds the maximum size, the oldest entry is automatically removed. For detailed patch information, see the GitHub Security Advisory GHSA-hcc4-c3v8-rx92 and GitHub Release Version 3.13.4.
Workarounds
- Disable DNS caching by setting ttl_dns_cache=None when creating AIOHTTP TCPConnector instances
- Implement application-level controls to restrict the number of unique external domains that can be requested
- Deploy containerized applications with memory limits to contain the impact of potential memory exhaustion
- Use network egress filtering to limit outbound DNS resolution to known required domains
# Configuration example - Upgrade AIOHTTP to patched version
pip install --upgrade aiohttp>=3.13.4
# Verify installed version
pip show aiohttp | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
