Plataforma
python
Componente
aiohttp
Corrigido em
3.13.5
3.13.4
CVE-2026-34513 describes a Denial of Service (DoS) vulnerability affecting the aiohttp Python web framework. This vulnerability stems from an unbounded DNS cache, which can lead to excessive memory consumption and potentially disrupt service availability. The vulnerability impacts versions of aiohttp up to and including 3.9.5. A patch has been released and upgrading to version 3.13.4 resolves the issue.
The core of the vulnerability lies in aiohttp's DNS caching mechanism. If an application utilizing aiohttp makes a large number of requests to distinct hostnames, the DNS cache can grow without bounds. This uncontrolled growth consumes increasing amounts of system memory. Eventually, this memory exhaustion can lead to a denial of service, effectively rendering the application unresponsive or crashing the server. The impact is particularly severe in environments where applications frequently resolve new hostnames, such as those interacting with dynamic content delivery networks or large-scale distributed systems. While the CVSS score is LOW, the potential for service disruption warrants prompt remediation.
CVE-2026-34513 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a relatively low probability of immediate exploitation. However, the vulnerability's nature—requiring only a large number of DNS requests—makes it potentially exploitable through automated tools or botnets. The vulnerability was disclosed on 2026-04-01.
Applications heavily reliant on aiohttp for making numerous DNS requests are at higher risk. This includes web applications interacting with CDNs, microservice architectures with frequent inter-service communication, and systems performing large-scale data scraping or crawling. Environments using older, unpatched versions of aiohttp are particularly vulnerable.
• python / server:
import psutil
# Monitor memory usage
memory_usage = psutil.virtual_memory().percent
print(f"Memory usage: {memory_usage}%")• python / server:
# Check aiohttp version
python -c "import aiohttp; print(aiohttp.__version__)"• generic web:
# Check for excessive DNS requests in access logs (example)
grep 'DNS' /var/log/nginx/access.log | wc -ldisclosure
patch
Status do Exploit
EPSS
0.05% (percentil 16%)
CISA SSVC
The primary mitigation for CVE-2026-34513 is to upgrade to aiohttp version 3.13.4 or later, which includes a fix for the unbounded DNS cache. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing temporary workarounds. One approach is to limit the number of concurrent DNS requests made by the application. Another is to manually manage the DNS cache, periodically clearing or pruning entries to prevent excessive growth. Monitor memory usage closely after any changes. The official patch details the fix: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98. After upgrading, verify the fix by simulating a scenario that would trigger the unbounded cache growth and confirming that memory usage remains within acceptable limits.
Actualice la biblioteca AIOHTTP a la versión 3.13.4 o superior. Esto solucionará la vulnerabilidad de denegación de servicio causada por una caché DNS ilimitada en TCPConnector. La actualización se puede realizar utilizando el gestor de paquetes pip: `pip install --upgrade aiohttp`.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-34513 is a Denial of Service vulnerability in aiohttp versions up to 3.9.5, caused by an unbounded DNS cache leading to excessive memory usage.
You are affected if you are using aiohttp versions 3.9.5 or earlier. Upgrade to 3.13.4 or later to mitigate the risk.
Upgrade to aiohttp version 3.13.4 or later. If immediate upgrade is not possible, consider temporary workarounds like limiting concurrent DNS requests.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it potentially exploitable.
The official patch and details can be found on the aiohttp GitHub repository: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.