MEDIUM

GHSA-63hw-fmq6-xxg2

aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines

Details

### Summary

It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser.

### Impact

If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiohttp

Introduced in: 0 Fixed in: 3.14.1

Fix pip install --upgrade 'aiohttp>=3.14.1'

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2 [WEB]
https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]