CVE-2026-34517

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4

Description Prior to version 3.13.4, AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, read the entire multipart form field into memory before checking the client max size limit. This could allow an attacker to cause significant temporary memory allocation even if the request is ultimately rejected.

Recommendations Update to version 3.13.4 or later.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

CLEANSTART-2026-AN27706

CVE-2026-34517

ECHO-185F-C78C-4E82

GHSA-3WQ7-RQQ7-WX6J

OESA-2026-2192

OESA-2026-2193

OESA-2026-2194

Affected Products

Aiohttp

CVE-2026-34517

Weakness Enumeration

Related Identifiers

Affected Products

References · 62