AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file. This vulnerability is fixed in 3.14.1.
PUBLISHED5.2CWE-404
AIOHTTP: Payload Response Resources Are Not Closed After Mid-Body Disconnect
Problem type
Affected products
aio-libs
aiohttp
< 3.14.1 - AFFECTED
References
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9x8q-7h8h-wcw9
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9x8q-7h8h-wcw9
https://github.com/aio-libs/aiohttp/commit/a762eda5242f6490d6ba667533193f8b473ad587
https://github.com/aio-libs/aiohttp/commit/a762eda5242f6490d6ba667533193f8b473ad587
GitHub Security Advisories
GHSA-9x8q-7h8h-wcw9
aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect
https://github.com/advisories/GHSA-9x8q-7h8h-wcw9Summary
Payload resources are not closed correctly when a client disconnects in the middle of a write.
Impact
If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file.
Patch: https://github.com/aio-libs/aiohttp/commit/a762eda5242f6490d6ba667533193f8b473ad587
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-54280Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-54280",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T18:18:21.597Z",
"dateReserved": "2026-06-12T17:13:32.280Z",
"datePublished": "2026-06-22T16:40:23.157Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T16:40:23.157Z"
},
"title": "AIOHTTP: Payload Response Resources Are Not Closed After Mid-Body Disconnect",
"descriptions": [
{
"lang": "en",
"value": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file. This vulnerability is fixed in 3.14.1."
}
],
"affected": [
{
"vendor": "aio-libs",
"product": "aiohttp",
"versions": [
{
"version": "< 3.14.1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-404: Improper Resource Shutdown or Release",
"cweId": "CWE-404",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9x8q-7h8h-wcw9",
"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9x8q-7h8h-wcw9",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/aio-libs/aiohttp/commit/a762eda5242f6490d6ba667533193f8b473ad587",
"name": "https://github.com/aio-libs/aiohttp/commit/a762eda5242f6490d6ba667533193f8b473ad587",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-06-22T18:18:21.597Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}