MEDIUM

GHSA-xcgm-r5h9-7989

aiohttp: Incomplete websocket frame payloads bypass memory limits

Details

### Summary

If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use.

### Impact

If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive memory use.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/14b6ee851fb16ec199acb950de0c82d476799e7d

Enter the version of the package you're using.

Introduced in: 0 Fixed in: 3.14.1

Fix pip install --upgrade 'aiohttp>=3.14.1'