Plattform
python
Komponente
aiohttp
Behoben in
3.13.5
3.13.4
CVE-2026-22815 describes a memory exhaustion vulnerability discovered in aiohttp, a Python 3.6+ HTTP client/server framework. This vulnerability arises from insufficient restrictions in header and trailer handling, potentially allowing an attacker to trigger excessive memory usage. The vulnerability affects versions of aiohttp up to and including 3.9.5. A patch addressing this issue has been released in version 3.13.4.
The primary impact of CVE-2026-22815 is memory exhaustion. An attacker can craft malicious HTTP requests or responses with oversized headers or trailers, causing aiohttp to allocate excessive memory. This can lead to application instability, crashes, and potentially a denial-of-service condition. The blast radius is limited to the affected aiohttp application instance. However, in a web application context, this could impact all users attempting to access the vulnerable service. A typical reverse proxy configuration can mitigate this risk by imposing limits on header and trailer sizes, effectively acting as a defense-in-depth measure.
CVE-2026-22815 was published on April 1, 2026. As of the current date, there are no publicly known exploits or active campaigns targeting this vulnerability. The vulnerability's impact is primarily related to resource exhaustion, which is a common attack vector. The EPSS score is pending evaluation. Refer to the aiohttp project's GitHub repository for more details and updates: https://github.com/aio-libs/aiohttp.
Applications utilizing aiohttp versions 3.9.5 or earlier are at risk. This includes web applications, APIs, and microservices built with aiohttp, particularly those handling untrusted input or processing large HTTP headers and trailers. Shared hosting environments using aiohttp are also at increased risk.
• python / server:
import aiohttp
print(aiohttp.__version__)• python / supply-chain:
Check project dependencies for aiohttp versions <= 3.9.5 using pip freeze or poetry show.
• generic web:
Monitor application logs for unusually high memory usage or crashes related to HTTP header/trailer processing.
disclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
The recommended mitigation for CVE-2026-22815 is to upgrade aiohttp to version 3.13.4 or later. If upgrading is not immediately possible, consider implementing a reverse proxy (e.g., Nginx, Apache) in front of the aiohttp application and configuring it to limit the size of HTTP headers and trailers. This will prevent oversized requests and responses from reaching the aiohttp server. Additionally, review your application code to ensure it handles HTTP headers and trailers safely and efficiently. After upgrading, confirm the fix by sending a request with a large header and verifying that the application does not experience memory exhaustion.
Actualice la versión de AIOHTTP a la 3.13.4 o superior. Esta versión contiene la corrección para la vulnerabilidad de uso excesivo de memoria debido al manejo ilimitado de encabezados trailer.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-22815 is a vulnerability in aiohttp versions up to 3.9.5 where insufficient header/trailer handling can lead to memory exhaustion, potentially causing a denial-of-service.
You are affected if you are using aiohttp version 3.9.5 or earlier. Check your installed version using pip freeze or poetry show.
Upgrade to aiohttp version 3.13.4 or later. If immediate upgrade is not possible, implement a reverse proxy to limit header/trailer sizes.
There is no confirmed active exploitation of CVE-2026-22815 at this time, but the potential for DoS warrants attention.
Refer to the aiohttp GitHub repository commit: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.