MEDIUM

GHSA-g3cq-j2xw-wf74

aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup

Details

### Summary

During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk.

### Impact

An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case).

### Workaround

Disable compression if unable to upgrade.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/4f7480e474cccc6a8cc2c92ad3f17a31dedf8232

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiohttp

Introduced in: 0 Fixed in: 3.14.1

Fix pip install --upgrade 'aiohttp>=3.14.1'

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g3cq-j2xw-wf74 [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]