GHSA-xcgm-r5h9-7989Medium

aiohttp: Incomplete websocket frame payloads bypass memory limits

Published
June 15, 2026
Last Modified
June 15, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use.

Impact

If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive memory use.


Patch: https://github.com/aio-libs/aiohttp/commit/14b6ee851fb16ec199acb950de0c82d476799e7d

🎯 Affected products1

  • pip/aiohttp:<= 3.14.0

🔗 References (2)