Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-54278— AIOHTTP: Unread Compressed Request Bodies Bypass client_max_size During Cleanup

AI Predicted 7.5 Difficulty: Easy EPSS 0.28% · P20

Possible ATT&CK Techniques 1AI

T1496 · Resource Hijacking

Affected Version Matrix 1

VendorProductVersion RangeStatus
aio-libsaiohttp< 3.14.1affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-54278

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
AIOHTTP: Unread Compressed Request Bodies Bypass client_max_size During Cleanup
Source: NVD (National Vulnerability Database)
Vulnerability Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). This vulnerability is fixed in 3.14.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对高度压缩数据的处理不恰当(数据放大攻击)
Source: NVD (National Vulnerability Database)
Vulnerability Title
aio-libs Async http client/server framework 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
aio-libs aiohttp是aio-libs的异步HTTP客户端/服务器框架。 aio-libs Async http client/server framework存在资源管理错误漏洞,该漏洞源于在清理期间可能将压缩请求体解压到内存中,可能导致拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
aio-libsaiohttp < 3.14.1 -

II. Public POCs for CVE-2026-54278

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-54278

登录查看更多情报信息。

Patches & Fixes for CVE-2026-54278 (1)

Vendor Advisories for CVE-2026-54278 (1)

Same Patch Batch · aio-libs · 2026-06-22 · 9 CVEs total

CVE-2026-54274AIOHTTP: Incomplete websocket frame payloads bypass memory limits
CVE-2026-54280AIOHTTP: Payload Response Resources Are Not Closed After Mid-Body Disconnect
CVE-2026-54277AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented Lines
CVE-2026-54273AIOHTTP: HTTP/1 Pipelined Requests Queue Without Limit
CVE-2026-54279AIOHTTP: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
CVE-2026-54275AIOHTTP: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
CVE-2026-54276AIOHTTP: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
CVE-2026-50269AIOHTTP: CRLF injection in multipart headers

IV. Related Vulnerabilities

V. Comments for CVE-2026-54278

No comments yet


Leave a comment