aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup

When

2026-06-15 20:09 UTC

Where

Global (internet)

Category

cyber_advisory · pip

### Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. ### Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). ### Workaround Disable compression if unable to upgrade. ----- Patch: https://github.com/aio-libs/aiohttp/commit/4f7480e474cccc6a8cc2c92ad3f17a31dedf8232

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-15 20:09 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

• aiohttp: HTTP/1 Pipelined Requests Queue Without Limit
  Shared actorsInvolves pip/aiohttp, pip/aiohttp· 81% match
• aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
  Shared actorsInvolves pip/aiohttp, pip/aiohttp· 81% match
• aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect
  Shared actorsInvolves pip/aiohttp, pip/aiohttp· 81% match
• aiohttp: Incomplete websocket frame payloads bypass memory limits
  Shared actorsInvolves pip/aiohttp, pip/aiohttp· 81% match
• aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
  Shared actorsInvolves pip/aiohttp, pip/aiohttp· 81% match
• aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines
  Shared actorsInvolves pip/aiohttp, pip/aiohttp· 81% match
• aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
  Shared actorsInvolves pip/aiohttp, pip/aiohttp· 81% match
• aiohttp: CRLF injection in multipart headers
  Shared actorsInvolves pip/aiohttp, pip/aiohttp· 81% match

← Back to the live map