AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.
PUBLISHED5.2CWE-770
AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented Lines
Problem type
Affected products
aio-libs
aiohttp
< 3.14.1 - AFFECTED
References
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2
https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d
https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d
GitHub Security Advisories
GHSA-63hw-fmq6-xxg2
aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines
https://github.com/advisories/GHSA-63hw-fmq6-xxg2Summary
It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser.
Impact
If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS.
Patch: https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-54277Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-54277",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T16:37:28.532Z",
"dateReserved": "2026-06-12T17:13:32.280Z",
"datePublished": "2026-06-22T16:37:28.532Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T16:37:28.532Z"
},
"title": "AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented Lines",
"descriptions": [
{
"lang": "en",
"value": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1."
}
],
"affected": [
{
"vendor": "aio-libs",
"product": "aiohttp",
"versions": [
{
"version": "< 3.14.1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"cweId": "CWE-770",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2",
"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d",
"name": "https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
}
}
}