Fluid Attacks Database

Description

AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

Summary

For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.

Impact

If an application uses Request.post() an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.

Patch: https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	python-aiohttp	=3.10.0-1 \|\| =3.10.1-1 \|\| =3.10.10-1 \|\| =3.10.10-2 \|\| =3.10.11-1 \|\| =3.10.3-1 \|\| =3.10.3-2 \|\| =3.10.3-3 \|\| =3.10.4-1 \|\| =3.10.5-1 \|\| =3.10.6-1 \|\| =3.10.8-1 \|\| =3.11.15-1 \|\| =3.11.16-1 \|\| =3.12.15-1 \|\| =3.13.0-1 \|\| =3.13.1-1 \|\| =3.13.3-1 \|\| =3.13.3-2 \|\| =3.13.3-3 \|\| =3.13.5-1 \|\| =3.8.4-1 \|\| =3.8.4-1+deb12u1 \|\| =3.8.5-1 \|\| =3.8.6-1 \|\| =3.9.1-1 \|\| =3.9.5-1	-
debian 11	python-aiohttp	=3.7.4-1 \|\| =3.7.4-1+deb11u1 \|\| >=0 <3.7.4-1+deb11u2	3.7.4-1+deb11u2
pypi	aiohttp	>=0 <3.13.4	3.13.4
debian 13	python-aiohttp	=3.11.16-1 \|\| =3.11.16-1+deb13u1 \|\| =3.12.15-1 \|\| =3.13.0-1 \|\| =3.13.1-1 \|\| =3.13.3-1 \|\| =3.13.3-2 \|\| =3.13.3-3 \|\| =3.13.5-1	-
debian 14	python-aiohttp	=3.11.16-1 \|\| =3.12.15-1 \|\| =3.13.0-1 \|\| =3.13.1-1 \|\| =3.13.3-1 \|\| =3.13.3-2 \|\| =3.13.3-3 \|\| >=0 <3.13.5-1	3.13.5-1

Aliases

1. CVE-2026-345172. NVD-2026-345173. OSV-DEBIAN-2026-345174. OSV-2026-345175. GHSA-3wq7-rqq7-wx6j6. GCVE-2026-345177. SECURITY-TRACKER-CVE-2026-34517

References

1. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-3wq7-rqq7-wx6j2. https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b9441453. https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.