AIOHTTP: Late size enforcement for non-file multipart fields causes memory DoS

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.

Affected Products

Vendor	Product	Versions
aiohttp	aiohttp	< 3.13.4

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-3wq7-rqq7-wx6j(x_refsource_CONFIRM)
https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145(x_refsource_MISC)
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4(x_refsource_MISC)

Related News (2 articles)

Tier B

CERT-FR21h ago

Multiples vulnérabilités dans les produits VMware (11 mai 2026)

→ No new info (linked only)

Tier C

VulDB39d ago

CVE-2026-34517 | aio-libs aiohttp up to 3.13.3 Multipart Form client_max_size allocation of resources (GHSA-3wq7-rqq7-wx6j)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

aiohttp@3.13.4

CWECWE-770

PublishedApr 1, 2026

Last enriched39d agov2

Trending Score55

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (4)

Version History

Last enriched 39d ago

v2Tier C39d ago

Updated severity to MEDIUM, marked as actively exploited, and noted that no exploit is available.

severityactivelyExploited

via VulDB

v140d ago

Initial creation