CVE Vulnerabilities

CVE-2026-54278

Improper Handling of Highly Compressed Data (Data Amplification)

Published: Jun 22, 2026 | Modified: Jun 26, 2026
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
5.9 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). This vulnerability is fixed in 3.14.1.

Weakness

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Affected Software

NameVendorStart VersionEnd Version
AiohttpAiohttp*3.14.1 (excluding)
Python-aiohttpUbuntuupstream*

References