Platform
python
Component
aiohttp
Fixed in
3.13.5
3.13.4
CVE-2026-34517 is a denial-of-service (DoS) vulnerability affecting aiohttp versions up to 3.9.5. This vulnerability arises from how aiohttp handles multipart form fields, where it reads the entire field into memory before validating its size. An attacker can exploit this by sending a specially crafted multipart request, forcing the application to allocate significant temporary memory, potentially leading to resource exhaustion and service disruption.
The primary impact of CVE-2026-34517 is a denial-of-service condition. An attacker can craft a multipart form submission that, despite being ultimately rejected due to size limitations, triggers a large memory allocation within the aiohttp server. This allocation can consume significant system resources, potentially impacting the availability of the application and even affecting other services running on the same server. While the CVSS score is LOW, the potential for resource exhaustion and service disruption should not be underestimated, particularly in high-traffic environments or those with limited resources. The vulnerability doesn't directly lead to data exfiltration or code execution, but it can effectively render the application unresponsive.
CVE-2026-34517 was publicly disclosed on 2026-04-01. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature makes it relatively straightforward to exploit. The LOW CVSS score suggests a lower probability of exploitation, but the ease of crafting malicious requests warrants attention.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-34517 is to upgrade to aiohttp version 3.13.4 or later, which includes a fix for the vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds such as rate limiting incoming requests, particularly multipart form submissions. Additionally, configure your web server or reverse proxy to limit the maximum size of multipart requests to prevent excessively large submissions. Monitoring server memory usage is also crucial to detect potential DoS attacks. After upgrading, confirm the fix by sending a large multipart request and verifying that memory allocation remains within acceptable limits.
Update to version 3.13.4 or higher of AIOHTTP. This version fixes the vulnerability that allows denial-of-service attacks by excessive memory consumption when processing multipart form fields.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34517 is a denial-of-service vulnerability in aiohttp versions up to 3.9.5, allowing attackers to trigger excessive memory allocation via crafted multipart requests.
You are affected if you are using aiohttp version 3.9.5 or earlier. Upgrade to 3.13.4 or later to resolve the issue.
Upgrade to aiohttp version 3.13.4 or later. Consider rate limiting multipart requests as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the aiohttp GitHub commit: https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.