Plattform
python
Komponente
aiohttp
Behoben in
3.13.5
3.13.4
CVE-2026-34513 describes a Denial of Service (DoS) vulnerability affecting the aiohttp Python web framework. This vulnerability stems from an unbounded DNS cache, which can lead to excessive memory consumption and potentially disrupt service availability. The vulnerability impacts versions of aiohttp up to and including 3.9.5. A patch has been released and upgrading to version 3.13.4 resolves the issue.
The core of the vulnerability lies in aiohttp's DNS caching mechanism. If an application using aiohttp makes a large number of requests to distinct hostnames, the DNS cache can grow without bounds. This uncontrolled growth consumes increasing amounts of memory. Eventually, this can exhaust available system resources, leading to a denial of service. The impact is primarily resource exhaustion, potentially rendering the application unresponsive and impacting dependent services. While the CVSS score is LOW, the potential for disruption in high-traffic environments should not be underestimated.
CVE-2026-34513 is not currently listed on KEV or EPSS. The CVSS score of 2.5 indicates a low probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of the publication date. The vulnerability was disclosed on 2026-04-01.
Applications heavily reliant on aiohttp for making numerous DNS requests are at higher risk. This includes web applications interacting with CDNs, microservice architectures with frequent inter-service communication, and systems performing large-scale data scraping or crawling. Environments using older, unpatched versions of aiohttp are particularly vulnerable.
• python / server:
import psutil
# Monitor memory usage
memory_usage = psutil.virtual_memory().percent
print(f"Memory usage: {memory_usage}%")• python / server:
# Check aiohttp version
python -c "import aiohttp; print(aiohttp.__version__)"• generic web:
# Check for excessive DNS requests in access logs (example)
grep 'DNS' /var/log/nginx/access.log | wc -ldisclosure
patch
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-34513 is to upgrade to aiohttp version 3.13.4 or later, which includes a fix for the unbounded DNS cache. If an immediate upgrade is not feasible, consider implementing rate limiting on DNS requests to prevent excessive cache growth. Additionally, monitoring system memory usage is crucial to detect potential DoS conditions. While a WAF is unlikely to directly mitigate this, it can help detect and block suspicious patterns of DNS requests. The official patch details the fix: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98. After upgrading, verify the fix by simulating a high volume of DNS requests and confirming that memory usage remains within acceptable limits.
Aktualisieren Sie die AIOHTTP-Bibliothek auf Version 3.13.4 oder höher. Dies behebt die Denial-of-Service-Schwachstelle, die durch einen unbegrenzten DNS-Cache in TCPConnector verursacht wird. Das Update kann mit dem Paketmanager pip durchgeführt werden: `pip install --upgrade aiohttp`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34513 is a Denial of Service vulnerability in aiohttp versions up to 3.9.5, caused by an unbounded DNS cache leading to excessive memory usage.
You are affected if you are using aiohttp versions 3.9.5 or earlier. Upgrade to 3.13.4 or later to mitigate the risk.
Upgrade to aiohttp version 3.13.4 or later. If immediate upgrade is not possible, consider temporary workarounds like limiting concurrent DNS requests.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it potentially exploitable.
The official patch and details can be found on the aiohttp GitHub repository: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.