GHSA-m5qp-6w8w-w647

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

AIOHTTP has a Multipart Header Size Bypass

Details

Summary

A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.

Impact

Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.

Patch: https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f

Database specific

{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-770"
    ],
    "github_reviewed_at": "2026-04-01T21:43:07Z",
    "github_reviewed": true,
    "nvd_published_at": "2026-04-01T21:16:59Z"
}

References

Affected packages

PyPI / aiohttp

Package

Name: aiohttp; View open source insights on deps.dev
Purl: pkg:pypi/aiohttp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.13.4

Affected versions

0.*

0.1

0.2

0.3

0.4

0.4.1

0.4.2

0.4.3

0.4.4

0.5.0

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.7.0

0.7.1

0.7.2

0.7.3

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.9.0

0.9.1

0.9.2

0.9.3

0.10.0

0.10.1

0.10.2

0.11.0

0.12.0

0.13.0

0.13.1

0.14.0

0.14.1

0.14.2

0.14.3

0.14.4

0.15.0

0.15.1

0.15.2

0.15.3

0.16.0

0.16.1

0.16.2

0.16.3

0.16.4

0.16.5

0.16.6

0.17.0

0.17.1

0.17.2

0.17.3

0.17.4

0.18.0

0.18.1

0.18.2

0.18.3

0.18.4

0.19.0

0.20.0

0.20.1

0.20.2

0.21.0

0.21.1

0.21.2

0.21.4

0.21.5

0.21.6

0.22.0a0

0.22.0b0

0.22.0b1

0.22.0b2

0.22.0b3

0.22.0b4

0.22.0b5

0.22.0b6

0.22.0

0.22.1

0.22.2

0.22.3

0.22.4

0.22.5

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.5

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.2.0

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

2.*

2.0.0rc1

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.1.0

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.3.0a1

2.3.0a2

2.3.0a3

2.3.0a4

2.3.0

2.3.1a1

2.3.1

2.3.2b2

2.3.2b3

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.3.10

3.*

3.0.0b0

3.0.0b1

3.0.0b2

3.0.0b3

3.0.0b4

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.1.0

3.1.1

3.1.2

3.1.3

3.2.0

3.2.1

3.3.0a0

3.3.0

3.3.1

3.3.2a0

3.3.2

3.4.0a0

3.4.0a3

3.4.0b1

3.4.0b2

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.5.0a1

3.5.0b1

3.5.0b2

3.5.0b3

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.6.0a0

3.6.0a1

3.6.0a2

3.6.0a3

3.6.0a4

3.6.0a5

3.6.0a6

3.6.0a7

3.6.0a8

3.6.0a9

3.6.0a11

3.6.0a12

3.6.0b0

3.6.0

3.6.1b3

3.6.1b4

3.6.1

3.6.2a0

3.6.2a1

3.6.2a2

3.6.2

3.6.3

3.7.0b0

3.7.0b1

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.7.4.post0

3.8.0a7

3.8.0b0

3.8.0

3.8.1

3.8.2

3.8.3

3.8.4

3.8.5

3.8.6

3.9.0b0

3.9.0b1

3.9.0rc0

3.9.0

3.9.1

3.9.2

3.9.3

3.9.4rc0

3.9.4

3.9.5

3.10.0b1

3.10.0rc0

3.10.0

3.10.1

3.10.2

3.10.3

3.10.4

3.10.5

3.10.6rc0

3.10.6rc1

3.10.6rc2

3.10.6

3.10.7

3.10.8

3.10.9

3.10.10

3.10.11rc0

3.10.11

3.11.0b0

3.11.0b1

3.11.0b2

3.11.0b3

3.11.0b4

3.11.0b5

3.11.0rc0

3.11.0rc1

3.11.0rc2

3.11.0

3.11.1

3.11.2

3.11.3

3.11.4

3.11.5

3.11.6

3.11.7

3.11.8

3.11.9

3.11.10

3.11.11

3.11.12

3.11.13

3.11.14

3.11.15

3.11.16

3.11.17

3.11.18

3.12.0b0

3.12.0b1

3.12.0b2

3.12.0b3

3.12.0rc0

3.12.0rc1

3.12.0

3.12.1rc0

3.12.1

3.12.2

3.12.3

3.12.4

3.12.6

3.12.7rc0

3.12.7

3.12.8

3.12.9

3.12.10

3.12.11

3.12.12

3.12.13

3.12.14

3.12.15

3.13.0

3.13.1

3.13.2

3.13.3

Database specific

last_known_affected_version_range

"<= 3.13.3"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m5qp-6w8w-w647/GHSA-m5qp-6w8w-w647.json"