Insufficient restrictions in header/trailer handling could cause uncapped memory usage.
An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.
Patch: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36
| Score | Percentile |
|---|---|
| 0.05% | 16.48% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.9 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-w2fm-2cpv-w7v5 ↗ |
| CVE | CVE-2026-22815 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | aiohttp | <= 3.13.3 | 3.13.4 | — |