aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage

GHSA-w2fm-2cpv-w7v5 · CVE-2026-22815

Published Apr 1, 2026 · Modified Apr 6, 2026

Description

Summary

Insufficient restrictions in header/trailer handling could cause uncapped memory usage.

Impact

An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.

Patch: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36

References

WEB https://github.com/aio-libs/aiohttp/security/advisories/GHSA-w2fm-2cpv-w7v5
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-22815
WEB https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36
PACKAGE https://github.com/aio-libs/aiohttp
WEB https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes