Plateforme
python
Composant
aiohttp
Corrigé dans
3.13.5
3.13.4
CVE-2026-34517 is a denial-of-service (DoS) vulnerability affecting aiohttp versions up to 3.9.5. This vulnerability arises from how aiohttp handles multipart form fields, where it reads the entire field into memory before validating its size. An attacker can exploit this by sending a specially crafted multipart request, forcing the application to allocate significant temporary memory, potentially leading to resource exhaustion and service disruption.
The primary impact of CVE-2026-34517 is a denial-of-service condition. An attacker can craft a multipart form submission that, despite being ultimately rejected due to size limitations, triggers a large memory allocation within the aiohttp server. This allocation can consume significant system resources, potentially impacting the availability of the application and even affecting other services running on the same server. While the CVSS score is LOW, the potential for resource exhaustion and service disruption should not be underestimated, particularly in high-traffic environments or those with limited resources. The vulnerability doesn't directly lead to data exfiltration or code execution, but it can effectively render the application unresponsive.
CVE-2026-34517 was publicly disclosed on 2026-04-01. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature makes it relatively straightforward to exploit. The LOW CVSS score suggests a lower probability of exploitation, but the ease of crafting malicious requests warrants attention.
Applications utilizing aiohttp for handling multipart form data, particularly those deployed in public-facing environments or handling untrusted user input, are at risk. Services relying on aiohttp for processing file uploads or other large data submissions are also vulnerable. Legacy systems running older versions of aiohttp without robust input validation are especially susceptible.
• python / server:
ps aux | grep aiohttp | grep -i 'multipart'• python / server:
import psutil
# Monitor memory usage of aiohttp processes
for proc in psutil.process_iter(['pid', 'name', 'memory_info']):
if 'aiohttp' in proc.info['name'].lower():
memory_usage = proc.info['memory_info'].rss / (1024 * 1024) # in MB
print(f'aiohttp process {proc.pid}: Memory usage = {memory_usage:.2f} MB')disclosure
Statut de l'Exploit
EPSS
0.05% (percentile 16%)
CISA SSVC
The recommended mitigation for CVE-2026-34517 is to upgrade to aiohttp version 3.13.4 or later, which includes a fix for the vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds such as rate limiting incoming requests, particularly multipart form submissions. Additionally, configure your web server or reverse proxy to limit the maximum size of multipart requests to prevent excessively large submissions. Monitoring server memory usage is also crucial to detect potential DoS attacks. After upgrading, confirm the fix by sending a large multipart request and verifying that memory allocation remains within acceptable limits.
Actualice a la versión 3.13.4 o superior de AIOHTTP. Esta versión corrige la vulnerabilidad que permite ataques de denegación de servicio por consumo excesivo de memoria al procesar campos multipart de formularios.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-34517 is a denial-of-service vulnerability in aiohttp versions up to 3.9.5, allowing attackers to trigger excessive memory allocation via crafted multipart requests.
You are affected if you are using aiohttp version 3.9.5 or earlier. Upgrade to 3.13.4 or later to resolve the issue.
Upgrade to aiohttp version 3.13.4 or later. Consider rate limiting multipart requests as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the aiohttp GitHub commit: https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.