Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54274

CVE-2026-54274: AIOHTTP WebSocket DoS Vulnerability

CVE-2026-54274 is a denial of service vulnerability in AIOHTTP that allows attackers to bypass memory limits via large incomplete WebSocket frames. This article covers the technical details, affected versions, and fixes.

Published:

CVE-2026-54274 Overview

CVE-2026-54274 is a denial-of-service vulnerability in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python. Versions prior to 3.14.1 fail to enforce the configured WebSocket message size limit when an attacker streams large incomplete frame payloads. The flaw allows remote attackers to bypass the _max_msg_size check and exhaust server memory without authentication. The issue is tracked under [CWE-770: Allocation of Resources Without Limits or Throttling] and has been resolved in aiohttp 3.14.1.

Critical Impact

Unauthenticated remote attackers can drive WebSocket servers built on aiohttp into memory exhaustion by sending oversized incomplete frame payloads, leading to denial of service.

Affected Products

  • aiohttp versions prior to 3.14.1
  • Python applications and services exposing WebSocket endpoints built on aiohttp
  • Downstream frameworks and libraries that embed vulnerable aiohttp releases as a dependency

Discovery Timeline

  • 2026-06-22 - CVE-2026-54274 published to NVD
  • 2026-06-22 - Last updated in NVD database
  • Fix released - Patched in aiohttp 3.14.1 via commit 14b6ee851fb16ec199acb950de0c82d476799e7d

Technical Details for CVE-2026-54274

Vulnerability Analysis

The vulnerability resides in the WebSocket frame reader implemented in aiohttp/_websocket/reader_py.py. When a WebSocket message is fragmented across multiple frames, aiohttp accumulates incoming payload bytes in an internal buffer named self._partial. The size check that compares len(self._partial) against self._max_msg_size was placed only on a code path that triggered after a complete frame was processed. An attacker who streams indefinitely growing incomplete frame payloads never crosses that check, allowing the buffer to expand beyond the configured limit. Because aiohttp is widely deployed in async Python web services, a single malicious client can hold a connection open and consume server memory until the process is killed by the operating system.

Root Cause

The root cause is missing enforcement of resource limits during partial frame accumulation [CWE-770]. The _max_msg_size ceiling was evaluated after appending payload bytes in one branch but skipped in the path that handled in-progress frames. As a result, an attacker could feed payload data that bypassed the size guard entirely.

Attack Vector

Exploitation requires only network reachability to a WebSocket endpoint backed by a vulnerable aiohttp version. The attacker establishes a standard WebSocket handshake and then sends crafted frames whose payloads grow without ever signaling completion. Because no authentication or user interaction is required, internet-exposed services using aiohttp WebSockets are reachable targets.

python
                 if opcode != OP_CODE_CONTINUATION:
                     self._opcode = opcode
                 self._partial += payload
-                if self._max_msg_size and len(self._partial) >= self._max_msg_size:
-                    raise WebSocketError(
-                        WSCloseCode.MESSAGE_TOO_BIG,
-                        f"Message size {len(self._partial)} "
-                        f"exceeds limit {self._max_msg_size}",
-                    )
                 return

             has_partial = bool(self._partial)

Source: GitHub Commit 14b6ee85. The patch restructures the reader so that the _max_msg_size check is enforced consistently across partial and completed frame paths, closing the bypass.

Detection Methods for CVE-2026-54274

Indicators of Compromise

  • Sustained WebSocket connections from a single client showing continuously growing inbound payload volume without frame completion.
  • aiohttp worker processes exhibiting rapid resident memory growth, followed by out-of-memory kills or container restarts.
  • Application logs showing WebSocket connections that remain open for unusual durations without producing application-level messages.

Detection Strategies

  • Inventory Python services for aiohttp versions below 3.14.1 using software composition analysis or pip freeze audits across hosts and containers.
  • Instrument WebSocket handlers to log per-connection accumulated payload bytes and alert when a single connection approaches process memory limits.
  • Correlate web server resource exhaustion events with active WebSocket connections to identify abusive clients.

Monitoring Recommendations

  • Track per-process memory utilization for services hosting aiohttp WebSockets and alert on sustained upward trends.
  • Monitor network telemetry for long-lived WebSocket sessions with high inbound byte counts but low outbound application traffic.
  • Enable verbose logging on WebSocket close codes to detect anomalous disconnections tied to resource pressure.

How to Mitigate CVE-2026-54274

Immediate Actions Required

  • Upgrade aiohttp to version 3.14.1 or later across all production, staging, and development environments.
  • Rebuild and redeploy container images and virtual environments that pin vulnerable aiohttp releases.
  • Audit third-party dependencies that transitively include aiohttp and request upstream updates where applicable.

Patch Information

The fix is committed in aiohttp commit 14b6ee85 and shipped in release 3.14.1. Additional context is available in the GitHub Security Advisory GHSA-xcgm-r5h9-7989.

Workarounds

  • Place a reverse proxy in front of aiohttp WebSocket endpoints and enforce strict per-connection inbound byte limits and idle timeouts.
  • Apply per-process memory limits using cgroups, systemd, or container runtime constraints to bound the blast radius of a single abusive connection.
  • Restrict WebSocket exposure to authenticated clients and rate-limit handshake attempts from unknown sources until patching is complete.
bash
# Upgrade aiohttp to the patched release
pip install --upgrade "aiohttp>=3.14.1"

# Verify the installed version
python -c "import aiohttp; print(aiohttp.__version__)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.