AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1.
PUBLISHED5.2CWE-770
AIOHTTP: Incomplete websocket frame payloads bypass memory limits
Problem type
Affected products
aio-libs
aiohttp
< 3.14.1 - AFFECTED
References
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xcgm-r5h9-7989
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xcgm-r5h9-7989
https://github.com/aio-libs/aiohttp/commit/14b6ee851fb16ec199acb950de0c82d476799e7d
https://github.com/aio-libs/aiohttp/commit/14b6ee851fb16ec199acb950de0c82d476799e7d
GitHub Security Advisories
GHSA-xcgm-r5h9-7989
aiohttp: Incomplete websocket frame payloads bypass memory limits
https://github.com/advisories/GHSA-xcgm-r5h9-7989Summary
If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use.
Impact
If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive memory use.
Patch: https://github.com/aio-libs/aiohttp/commit/14b6ee851fb16ec199acb950de0c82d476799e7d
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-54274Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-54274",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T18:14:44.845Z",
"dateReserved": "2026-06-12T17:13:32.280Z",
"datePublished": "2026-06-22T16:33:37.789Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T16:33:37.789Z"
},
"title": "AIOHTTP: Incomplete websocket frame payloads bypass memory limits",
"descriptions": [
{
"lang": "en",
"value": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1."
}
],
"affected": [
{
"vendor": "aio-libs",
"product": "aiohttp",
"versions": [
{
"version": "< 3.14.1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"cweId": "CWE-770",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xcgm-r5h9-7989",
"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xcgm-r5h9-7989",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/aio-libs/aiohttp/commit/14b6ee851fb16ec199acb950de0c82d476799e7d",
"name": "https://github.com/aio-libs/aiohttp/commit/14b6ee851fb16ec199acb950de0c82d476799e7d",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-06-22T18:14:44.845Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}