What is GHSA-g3cq-j2xw-wf74?

GHSA-g3cq-j2xw-wf74 is a security advisory published by GitHub Security Advisories with Medium severity. aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup

Which CVE IDs does GHSA-g3cq-j2xw-wf74 cover?

GHSA-g3cq-j2xw-wf74 covers the following CVE IDs: CVE-2026-54278. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-g3cq-j2xw-wf74?

GHSA-g3cq-j2xw-wf74 affects 1 product, including: pip/aiohttp:\u003c= 3.14.0.

GHSA-g3cq-j2xw-wf74Medium

aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup

Vendor

GitHub Security Advisories

Published

June 15, 2026

Last Modified

June 15, 2026

🔗 CVE IDs covered (1)

CVE-2026-54278 →

📋 Description

Summary

During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk.

Impact

An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case).

Workaround

Disable compression if unable to upgrade.

Patch: https://github.com/aio-libs/aiohttp/commit/4f7480e474cccc6a8cc2c92ad3f17a31dedf8232

🎯 Affected products1

pip/aiohttp:<= 3.14.0

🔗 References (2)

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g3cq-j2xw-wf74
https://github.com/advisories/GHSA-g3cq-j2xw-wf74