CVE-2026-54273 Overview
CVE-2026-54273 is a denial of service vulnerability in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python. Versions prior to 3.14.1 do not enforce a limit on the number of pipelined HTTP requests that can be queued per connection. An attacker can send a large volume of pipelined requests over a single connection, forcing the server to buffer them in memory. The resulting memory exhaustion can degrade or crash the affected server process. The issue is tracked as [CWE-770: Allocation of Resources Without Limits or Throttling] and is fixed in aiohttp 3.14.1.
Critical Impact
Remote unauthenticated attackers can trigger memory exhaustion in aiohttp servers by flooding a single connection with pipelined requests, leading to denial of service.
Affected Products
- aiohttp versions prior to 3.14.1
- Python applications using aiohttp as an HTTP server
- Services built on the aiohttp web framework exposed over the network
Discovery Timeline
- 2026-06-22 - CVE-2026-54273 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2026-54273
Vulnerability Analysis
The vulnerability resides in the HTTP request parser used by aiohttp server connections. HTTP pipelining allows a client to send multiple requests over a single TCP connection without waiting for prior responses. The parser queues each incoming request as a message until the application layer consumes it. Before version 3.14.1, the queue grew without an upper bound, allowing a client to push messages faster than the server processes them. Each queued message retains parsed headers and associated state in process memory. A sustained pipelined flood from a single connection can therefore drive the Python process toward memory exhaustion and trigger denial of service for all users of the service.
Root Cause
The parser tracked in-flight messages but did not compare that count to a maximum threshold before accepting additional requests. Without throttling, the server continued to allocate parser state and message objects for every pipelined request received on the connection.
Attack Vector
The attack requires only network reachability to the aiohttp server. No authentication or user interaction is needed. An attacker opens a TCP connection and writes a stream of well-formed HTTP requests back-to-back without consuming responses. The server buffers the requests in the internal queue, increasing resident memory until the process is killed by the operating system or becomes unresponsive.
list _messages
bint _more_data_available
bint _paused
+ Py_ssize_t _msg_in_flight
+ Py_ssize_t _max_msg_queue_size
bint _eof_pending
object _payload
unsigned long long _content_length_expected
Source: aiohttp commit dfdfa9d5
The patch in aiohttp/_http_parser.pyx introduces two new counters, _msg_in_flight and _max_msg_queue_size, that bound the number of pipelined messages a single connection may queue.
Detection Methods for CVE-2026-54273
Indicators of Compromise
- Sudden, sustained memory growth in aiohttp worker processes without a corresponding rise in completed request rate.
- Single client connections producing an unusually high count of inbound HTTP requests with few or no read responses.
- Process termination via OOM killer or MemoryError exceptions logged by the application.
Detection Strategies
- Monitor per-connection request counts at the reverse proxy or load balancer and alert on connections exceeding normal pipelining ratios.
- Inspect HTTP access logs for many sequential requests from the same source IP and connection identifier within a short window.
- Track resident set size (RSS) of aiohttp processes and correlate spikes with concurrent network sessions.
Monitoring Recommendations
- Enable connection-level metrics in front-end proxies such as NGINX or HAProxy to surface long-lived connections with high request counts.
- Forward Python application logs and host memory telemetry to a centralized analytics platform for correlation.
- Establish baselines for HTTP request-per-connection ratios and alert on statistical deviations.
How to Mitigate CVE-2026-54273
Immediate Actions Required
- Upgrade aiohttp to version 3.14.1 or later in all server deployments.
- Audit dependency manifests (requirements.txt, pyproject.toml, Pipfile.lock) to identify pinned vulnerable versions.
- Rebuild and redeploy container images that bundle aiohttp to ensure the patched wheel is installed.
Patch Information
The fix is delivered in aiohttp 3.14.1. The patch bounds the pipelined message queue per connection by tracking _msg_in_flight against _max_msg_queue_size in _http_parser.pyx. Refer to the GitHub Security Advisory GHSA-4fvr-rgm6-gqmc and the upstream commit for implementation details.
Workarounds
- Place a reverse proxy in front of aiohttp that disables or limits HTTP pipelining and enforces per-connection request quotas.
- Apply rate limiting and connection memory limits at the load balancer or WAF layer.
- Constrain process memory using cgroups or container limits so a single worker cannot exhaust host memory.
# Configuration example: upgrade aiohttp to the patched release
pip install --upgrade 'aiohttp>=3.14.1'
# Verify installed version
python -c "import aiohttp; print(aiohttp.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

