Plattform
python
Komponente
aiohttp
Behoben in
3.13.5
3.13.4
CVE-2026-34517 is a denial-of-service (DoS) vulnerability affecting aiohttp versions up to 3.9.5. This vulnerability arises from how aiohttp handles multipart form fields, where it reads the entire field into memory before validating its size. An attacker can exploit this by sending a specially crafted multipart request, forcing the application to allocate significant temporary memory, potentially leading to resource exhaustion and service disruption.
The primary impact of CVE-2026-34517 is a denial-of-service condition. An attacker can leverage this vulnerability to exhaust server resources by sending numerous malicious multipart requests. Each request triggers a large memory allocation within the aiohttp framework, potentially leading to application slowdown, instability, or even a crash. While the CVSS score is LOW, the cumulative effect of multiple attacks could still disrupt service availability. The vulnerability stems from a flaw in how aiohttp handles multipart form fields; it reads the entire field into memory before validating the clientmaxsize parameter, creating an opportunity for exploitation.
CVE-2026-34517 was publicly disclosed on April 1, 2026. No known public proof-of-concept (PoC) exploits are currently available, but the vulnerability's nature makes it relatively straightforward to exploit. The EPSS score is likely to be low to medium, reflecting the lack of public exploits and the relatively simple nature of the attack. It is not currently listed on the CISA KEV catalog.
Applications utilizing aiohttp for handling multipart form data, particularly those deployed in public-facing environments or handling untrusted user input, are at risk. Services relying on aiohttp for processing file uploads or other large data submissions are also vulnerable. Legacy systems running older versions of aiohttp without robust input validation are especially susceptible.
• python / server:
ps aux | grep aiohttp | grep -i 'multipart'• python / server:
import psutil
# Monitor memory usage of aiohttp processes
for proc in psutil.process_iter(['pid', 'name', 'memory_info']):
if 'aiohttp' in proc.info['name'].lower():
memory_usage = proc.info['memory_info'].rss / (1024 * 1024) # in MB
print(f'aiohttp process {proc.pid}: Memory usage = {memory_usage:.2f} MB')disclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
The recommended mitigation for CVE-2026-34517 is to upgrade to aiohttp version 3.13.4 or later. This version includes a fix that prevents the excessive memory allocation. If upgrading immediately is not feasible, consider implementing rate limiting on multipart form submissions to reduce the impact of potential attacks. Additionally, carefully review application code that utilizes Request.post() and ensure proper input validation and size limits are enforced. The fix involves checking the clientmaxsize before reading the entire multipart field into memory, preventing the memory exhaustion issue. After upgrading, confirm the fix by sending a large multipart request and verifying that memory usage remains within acceptable limits.
Aktualisieren Sie auf Version 3.13.4 oder höher von AIOHTTP. Diese Version behebt die Schwachstelle, die Denial-of-Service-Angriffe durch übermäßigen Speicherverbrauch beim Verarbeiten von multipart Formularfeldern ermöglicht.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34517 is a denial-of-service vulnerability in aiohttp versions up to 3.9.5, allowing attackers to trigger excessive memory allocation via crafted multipart requests.
You are affected if you are using aiohttp version 3.9.5 or earlier. Upgrade to 3.13.4 or later to resolve the issue.
Upgrade to aiohttp version 3.13.4 or later. Consider rate limiting multipart requests as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the aiohttp GitHub commit: https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.