Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54273

CVE-2026-54273: AIOHTTP DoS Vulnerability via Pipelining

CVE-2026-54273 is a denial of service vulnerability in AIOHTTP framework caused by unlimited pipelined requests that consume excessive memory. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-54273 Overview

CVE-2026-54273 is a denial of service vulnerability in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python. Versions prior to 3.14.1 do not enforce a limit on the number of pipelined HTTP requests that can be queued per connection. An attacker can send a large volume of pipelined requests over a single connection, forcing the server to buffer them in memory. The resulting memory exhaustion can degrade or crash the affected server process. The issue is tracked as [CWE-770: Allocation of Resources Without Limits or Throttling] and is fixed in aiohttp 3.14.1.

Critical Impact

Remote unauthenticated attackers can trigger memory exhaustion in aiohttp servers by flooding a single connection with pipelined requests, leading to denial of service.

Affected Products

  • aiohttp versions prior to 3.14.1
  • Python applications using aiohttp as an HTTP server
  • Services built on the aiohttp web framework exposed over the network

Discovery Timeline

  • 2026-06-22 - CVE-2026-54273 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2026-54273

Vulnerability Analysis

The vulnerability resides in the HTTP request parser used by aiohttp server connections. HTTP pipelining allows a client to send multiple requests over a single TCP connection without waiting for prior responses. The parser queues each incoming request as a message until the application layer consumes it. Before version 3.14.1, the queue grew without an upper bound, allowing a client to push messages faster than the server processes them. Each queued message retains parsed headers and associated state in process memory. A sustained pipelined flood from a single connection can therefore drive the Python process toward memory exhaustion and trigger denial of service for all users of the service.

Root Cause

The parser tracked in-flight messages but did not compare that count to a maximum threshold before accepting additional requests. Without throttling, the server continued to allocate parser state and message objects for every pipelined request received on the connection.

Attack Vector

The attack requires only network reachability to the aiohttp server. No authentication or user interaction is needed. An attacker opens a TCP connection and writes a stream of well-formed HTTP requests back-to-back without consuming responses. The server buffers the requests in the internal queue, increasing resident memory until the process is killed by the operating system or becomes unresponsive.

text
         list    _messages
         bint    _more_data_available
         bint    _paused
+        Py_ssize_t _msg_in_flight
+        Py_ssize_t _max_msg_queue_size
         bint    _eof_pending
         object  _payload
         unsigned long long _content_length_expected

Source: aiohttp commit dfdfa9d5

The patch in aiohttp/_http_parser.pyx introduces two new counters, _msg_in_flight and _max_msg_queue_size, that bound the number of pipelined messages a single connection may queue.

Detection Methods for CVE-2026-54273

Indicators of Compromise

  • Sudden, sustained memory growth in aiohttp worker processes without a corresponding rise in completed request rate.
  • Single client connections producing an unusually high count of inbound HTTP requests with few or no read responses.
  • Process termination via OOM killer or MemoryError exceptions logged by the application.

Detection Strategies

  • Monitor per-connection request counts at the reverse proxy or load balancer and alert on connections exceeding normal pipelining ratios.
  • Inspect HTTP access logs for many sequential requests from the same source IP and connection identifier within a short window.
  • Track resident set size (RSS) of aiohttp processes and correlate spikes with concurrent network sessions.

Monitoring Recommendations

  • Enable connection-level metrics in front-end proxies such as NGINX or HAProxy to surface long-lived connections with high request counts.
  • Forward Python application logs and host memory telemetry to a centralized analytics platform for correlation.
  • Establish baselines for HTTP request-per-connection ratios and alert on statistical deviations.

How to Mitigate CVE-2026-54273

Immediate Actions Required

  • Upgrade aiohttp to version 3.14.1 or later in all server deployments.
  • Audit dependency manifests (requirements.txt, pyproject.toml, Pipfile.lock) to identify pinned vulnerable versions.
  • Rebuild and redeploy container images that bundle aiohttp to ensure the patched wheel is installed.

Patch Information

The fix is delivered in aiohttp 3.14.1. The patch bounds the pipelined message queue per connection by tracking _msg_in_flight against _max_msg_queue_size in _http_parser.pyx. Refer to the GitHub Security Advisory GHSA-4fvr-rgm6-gqmc and the upstream commit for implementation details.

Workarounds

  • Place a reverse proxy in front of aiohttp that disables or limits HTTP pipelining and enforces per-connection request quotas.
  • Apply rate limiting and connection memory limits at the load balancer or WAF layer.
  • Constrain process memory using cgroups or container limits so a single worker cannot exhaust host memory.
bash
# Configuration example: upgrade aiohttp to the patched release
pip install --upgrade 'aiohttp>=3.14.1'

# Verify installed version
python -c "import aiohttp; print(aiohttp.__version__)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.