AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.
PUBLISHED5.2CWE-770
AIOHTTP: HTTP/1 Pipelined Requests Queue Without Limit
Problem type
Affected products
aio-libs
aiohttp
< 3.14.1 - AFFECTED
References
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-4fvr-rgm6-gqmc
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-4fvr-rgm6-gqmc
https://github.com/aio-libs/aiohttp/commit/dfdfa9d5aad5d21f91c79fb2ceeba0f8046cb6cf
https://github.com/aio-libs/aiohttp/commit/dfdfa9d5aad5d21f91c79fb2ceeba0f8046cb6cf
GitHub Security Advisories
GHSA-4fvr-rgm6-gqmc
aiohttp: HTTP/1 Pipelined Requests Queue Without Limit
https://github.com/advisories/GHSA-4fvr-rgm6-gqmcSummary
No limit was present on the number of pipelined requests that could be queued.
Impact
An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS.
Patch: https://github.com/aio-libs/aiohttp/commit/dfdfa9d5aad5d21f91c79fb2ceeba0f8046cb6cf
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-54273Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-54273",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T17:38:06.286Z",
"dateReserved": "2026-06-12T17:13:32.280Z",
"datePublished": "2026-06-22T16:41:20.261Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T16:41:20.261Z"
},
"title": "AIOHTTP: HTTP/1 Pipelined Requests Queue Without Limit",
"descriptions": [
{
"lang": "en",
"value": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1."
}
],
"affected": [
{
"vendor": "aio-libs",
"product": "aiohttp",
"versions": [
{
"version": "< 3.14.1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"cweId": "CWE-770",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-4fvr-rgm6-gqmc",
"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-4fvr-rgm6-gqmc",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/aio-libs/aiohttp/commit/dfdfa9d5aad5d21f91c79fb2ceeba0f8046cb6cf",
"name": "https://github.com/aio-libs/aiohttp/commit/dfdfa9d5aad5d21f91c79fb2ceeba0f8046cb6cf",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-06-22T17:38:06.286Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}