Skip to main content

aiohttp CVE-2026-54280

| EUVDEUVD-2026-38316 LOW
Improper Resource Shutdown or Release (CWE-404)
2026-06-15 https://github.com/aio-libs/aiohttp GHSA-9x8q-7h8h-wcw9
1.7
CVSS 4.0 · Vendor: https://github.com/aio-libs/aiohttp

Severity by source

Vendor (https://github.com/aio-libs/aiohttp) PRIMARY
1.7 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-reachable with no auth or user interaction required; impact is low-severity transient availability loss via FD exhaustion; no confidentiality or integrity impact applies.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/aio-libs/aiohttp).

CVSS VectorVendor: https://github.com/aio-libs/aiohttp

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 18:23 NVD
1.7 (LOW)
Source Code Evidence Fetched
Jun 15, 2026 - 20:36 vuln.today
Analysis Generated
Jun 15, 2026 - 20:36 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 42,718 pypi packages depend on aiohttp (14,813 direct, 28,685 indirect)

Ecosystem-wide dependent count for version 3.14.1.

DescriptionCVE.org

Summary

Payload resources are not closed correctly when a client disconnects in the middle of a write.

Impact

If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/a762eda5242f6490d6ba667533193f8b473ad587

AnalysisAI

Resource leak in aiohttp's response write_eof method allows unauthenticated remote attackers to cause temporary file descriptor exhaustion by repeatedly disconnecting mid-response. All aiohttp versions up to and including 3.14.0 fail to invoke Payload.close() when a write is interrupted by a client disconnection, exception, or asyncio task cancellation, leaving file handles and similar OS-level resources open until Python's garbage collector intervenes. No public exploit code exists and no active exploitation has been confirmed; however, the attack requires no authentication, no special configuration, and is straightforward to automate against any endpoint serving file-backed responses. The advisory's 'Information Disclosure' tag appears inconsistent with the actual impact, which is purely availability (transient resource starvation).

Technical ContextAI

aiohttp is an async HTTP client/server framework for Python, distributed via pip (CPE: pkg:pip/aiohttp). The flaw resides in aiohttp/web_response.py within the write_eof() coroutine of the Response class. Before the fix, the method called await self._body.write(self._payload_writer) sequentially followed by await self._body.close(). If write() raised any exception - most commonly ConnectionResetError when a TCP client disconnected mid-transfer - or if the enclosing asyncio Task was cancelled (e.g., request timeout), Python's exception propagation caused execution to bypass close(), leaving any OS resource held by the Payload (e.g., an open file descriptor) unreleased. This is a textbook CWE-404 (Improper Resource Shutdown or Release): the cleanup path was conditional on the happy path rather than guaranteed. The commit diff at a762eda5242f6490d6ba667533193f8b473ad587 shows the fix as a minimal two-line change: wrapping write() in a try block with close() moved to a finally clause, ensuring the Payload lifecycle is always honored regardless of how write() terminates.

RemediationAI

Upgrade aiohttp to version 3.14.1 or later, which is the vendor-released patch and the only complete fix. The upstream change is at https://github.com/aio-libs/aiohttp/commit/a762eda5242f6490d6ba667533193f8b473ad587. For environments that cannot upgrade immediately, serving file content by reading it fully into memory before constructing a BytesPayload or StringPayload response eliminates the resource-leak vector entirely, at the cost of increased memory usage for large files. Applying rate-limiting per client IP on inbound connections reduces an attacker's ability to accumulate leaked file descriptors faster than GC reclaims them, though this is a mitigation rather than a fix. Monitoring the server process's open file descriptor count (e.g., via /proc/<pid>/fd on Linux) can provide early warning of exploitation attempts.

Share

CVE-2026-54280 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy