HIGH 7.5

GHSA-m5qp-6w8w-w647

AIOHTTP has a Multipart Header Size Bypass

Details

### Summary

A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.

### Impact

Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiohttp

Introduced in: 0 Fixed in: 3.13.4

Fix pip install --upgrade 'aiohttp>=3.13.4'

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m5qp-6w8w-w647 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-34516 [ADVISORY]
https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4 [WEB]