Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54280

CVE-2026-54280: AIOHTTP DoS Vulnerability

CVE-2026-54280 is a denial of service vulnerability in AIOHTTP that allows attackers to cause resource starvation through improper payload closure. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-54280 Overview

CVE-2026-54280 is a resource management vulnerability in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. Versions prior to 3.14.1 fail to close payload resources correctly when a client disconnects mid-write. When a payload references an open file or other limited resource, an attacker can trigger repeated mid-write disconnects to leak file handles. This leads to temporary resource starvation until Python garbage collection reclaims the orphaned objects. The issue is classified under [CWE-404: Improper Resource Shutdown or Release]. AIOHTTP version 3.14.1 contains the fix.

Critical Impact

Remote attackers can induce temporary resource starvation on AIOHTTP servers by disconnecting during response writes, causing file handles and other limited resources to remain open until garbage collection.

Affected Products

  • AIOHTTP versions prior to 3.14.1
  • Python applications using AIOHTTP server with file-backed Payload responses
  • Asynchronous HTTP services built on the aiohttp.web framework

Discovery Timeline

  • 2026-06-22 - CVE-2026-54280 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2026-54280

Vulnerability Analysis

The defect resides in the response write path of aiohttp/web_response.py. When the response body is an instance of Payload, AIOHTTP calls self._body.write(self._payload_writer) followed by self._body.close(). If the client terminates the connection during the write() call, the write coroutine raises an exception and propagates upward before close() executes. The payload object remains open, holding any underlying file descriptor or limited resource until the Python garbage collector finalizes the object. An attacker who repeatedly issues requests and aborts them mid-response can accumulate leaked descriptors and exhaust per-process file handle limits.

Root Cause

The sequential write then close pattern lacks exception safety. Without a try/finally block, any exception raised inside write() skips close() entirely. The EPSS probability is 0.247% at the 15.883 percentile, reflecting low expected exploitation volume.

Attack Vector

A network-based attacker sends HTTP requests targeting endpoints that return file-backed Payload responses. The attacker closes the TCP connection while the server streams response data. Each aborted request leaks one resource handle. Repeating this at scale forces resource exhaustion until garbage collection runs.

python
         if body is None or self._must_be_empty_body:
             await super().write_eof()
         elif isinstance(self._body, Payload):
-            await self._body.write(self._payload_writer)
-            await self._body.close()
+            try:
+                await self._body.write(self._payload_writer)
+            finally:
+                await self._body.close()
             await super().write_eof()
         else:
             await super().write_eof(cast(bytes, body))

Source: aiohttp GitHub commit a762eda5. The patch wraps the payload write in a try/finally block to guarantee that close() runs even when the client disconnects.

Detection Methods for CVE-2026-54280

Indicators of Compromise

  • Elevated counts of open file descriptors held by AIOHTTP worker processes over time
  • Frequent client disconnects observed in AIOHTTP access logs during response streaming
  • OSError: [Errno 24] Too many open files errors raised by the Python runtime
  • Bursts of short-lived TCP connections terminated with RST before response completion

Detection Strategies

  • Monitor /proc/<pid>/fd counts and compare against the soft limit returned by ulimit -n for each AIOHTTP worker
  • Correlate connection-reset events in network telemetry with AIOHTTP endpoints that serve file-backed payloads
  • Inspect installed package metadata for aiohttp versions below 3.14.1 across Python environments

Monitoring Recommendations

  • Track file descriptor usage as a metric in application performance monitoring (APM) dashboards
  • Alert when the rate of mid-response client disconnects exceeds historical baselines
  • Log Python ResourceWarning events to surface unclosed file objects after garbage collection

How to Mitigate CVE-2026-54280

Immediate Actions Required

  • Upgrade AIOHTTP to version 3.14.1 or later in all production and development environments
  • Audit Python dependency manifests including requirements.txt, pyproject.toml, and Pipfile.lock for pinned vulnerable versions
  • Restart AIOHTTP worker processes after upgrading to release any leaked descriptors held by long-running workers

Patch Information

The fix is committed in aiohttp commit a762eda5 and shipped in AIOHTTP 3.14.1. Full details are available in the GitHub Security Advisory GHSA-9x8q-7h8h-wcw9. The patch reorders the payload write and close calls inside a try/finally block.

Workarounds

  • Increase per-process file descriptor limits with ulimit -n as a short-term buffer while planning the upgrade
  • Avoid serving responses backed by open file Payload objects and prefer in-memory bytes responses where practical
  • Deploy a reverse proxy that buffers complete responses before forwarding, reducing exposure to mid-write client disconnects
bash
# Upgrade AIOHTTP to the patched release
pip install --upgrade 'aiohttp>=3.14.1'

# Verify the installed version
python -c "import aiohttp; print(aiohttp.__version__)"

# Optional: raise file descriptor limits as a temporary measure
ulimit -n 65535

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.