CVE-2026-54278

CVSS v4.0

6.6

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

Summary

During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk.

Impact

An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case).

Workaround

Disable compression if unable to upgrade.

Patch: https://github.com/aio-libs/aiohttp/commit/4f7480e474cccc6a8cc2c92ad3f17a31dedf8232

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-409

Related Identifiers

CVE-2026-54278

GHSA-G3CQ-J2XW-WF74

Affected Products

Aiohttp

CVE-2026-54278

Summary

Impact

Workaround

Weakness Enumeration

Related Identifiers

Affected Products

References · 3