Platform
python
Component
aiohttp
Fixed in
3.13.5
3.13.4
CVE-2026-34513 describes a Denial of Service (DoS) vulnerability affecting the aiohttp Python web framework. This vulnerability stems from an unbounded DNS cache, which can lead to excessive memory consumption and potentially disrupt service availability. The vulnerability impacts versions of aiohttp up to and including 3.9.5. A patch has been released and upgrading to version 3.13.4 resolves the issue.
The core of the vulnerability lies in aiohttp's DNS caching mechanism. If an application utilizing aiohttp makes a large number of requests to distinct hostnames, the DNS cache can grow without bounds. This uncontrolled growth consumes increasing amounts of system memory. Eventually, this memory exhaustion can lead to a denial of service, effectively rendering the application unresponsive or crashing the server. The impact is particularly severe in environments where applications frequently resolve new hostnames, such as those interacting with dynamic content delivery networks or large-scale distributed systems. While the CVSS score is LOW, the potential for service disruption warrants prompt remediation.
CVE-2026-34513 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a relatively low probability of immediate exploitation. However, the vulnerability's nature—requiring only a large number of DNS requests—makes it potentially exploitable through automated tools or botnets. The vulnerability was disclosed on 2026-04-01.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
The primary mitigation for CVE-2026-34513 is to upgrade to aiohttp version 3.13.4 or later, which includes a fix for the unbounded DNS cache. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing temporary workarounds. One approach is to limit the number of concurrent DNS requests made by the application. Another is to manually manage the DNS cache, periodically clearing or pruning entries to prevent excessive growth. Monitor memory usage closely after any changes. The official patch details the fix: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98. After upgrading, verify the fix by simulating a scenario that would trigger the unbounded cache growth and confirming that memory usage remains within acceptable limits.
Update the AIOHTTP library to version 3.13.4 or higher. This will resolve the denial of service vulnerability caused by an unbounded DNS cache in TCPConnector. The update can be performed using the pip package manager: `pip install --upgrade aiohttp`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34513 is a Denial of Service vulnerability in aiohttp versions up to 3.9.5, caused by an unbounded DNS cache leading to excessive memory usage.
You are affected if you are using aiohttp versions 3.9.5 or earlier. Upgrade to 3.13.4 or later to mitigate the risk.
Upgrade to aiohttp version 3.13.4 or later. If immediate upgrade is not possible, consider temporary workarounds like limiting concurrent DNS requests.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it potentially exploitable.
The official patch and details can be found on the aiohttp GitHub repository: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.