Skip to content

CVE-2026-54278 (High) detected in aiohttp-3.13.5-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl #116

Description

@mend-bolt-for-github

CVE-2026-54278 - High Severity Vulnerability

Vulnerable Library - aiohttp-3.13.5-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/2f/86/a6f3ff1fd795f49545a7c74b2c92f62729135d73e7e4055bf74da5a26c82/aiohttp-3.13.5-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl

Path to dependency file: /src/sitemap_warmup/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260505013010_YXFAAC/python_FGAXKO/202605050130121/env/lib/python3.10/site-packages/aiohttp-3.13.5.dist-info

Dependency Hierarchy:

  • aiohttp-3.13.5-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). Workaround Disable compression if unable to upgrade. *** Patch: aio-libs/aiohttp@4f7480e

Publish Date: 2026-06-15

URL: CVE-2026-54278

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4fvr-rgm6-gqmc

Release Date: 2026-06-15

Fix Resolution: 3.14.1


Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions