AIOHTTP has a Multipart Header Size Bypass

GHSA-m5qp-6w8w-w647 · CVE-2026-34516

Published Apr 1, 2026 · Modified Apr 6, 2026

Description

Summary

A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.

Impact

Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.

Patch: https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f

References

WEB https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m5qp-6w8w-w647
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34516
WEB https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f
PACKAGE https://github.com/aio-libs/aiohttp
WEB https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes