Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable with no auth or user interaction required; impact is low-severity transient availability loss via FD exhaustion; no confidentiality or integrity impact applies.
Primary rating from Vendor (https://github.com/aio-libs/aiohttp).
CVSS VectorVendor: https://github.com/aio-libs/aiohttp
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 42,718 pypi packages depend on aiohttp (14,813 direct, 28,685 indirect)
Ecosystem-wide dependent count for version 3.14.1.
DescriptionCVE.org
Summary
Payload resources are not closed correctly when a client disconnects in the middle of a write.
Impact
If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file.
-----
Patch: https://github.com/aio-libs/aiohttp/commit/a762eda5242f6490d6ba667533193f8b473ad587
AnalysisAI
Resource leak in aiohttp's response write_eof method allows unauthenticated remote attackers to cause temporary file descriptor exhaustion by repeatedly disconnecting mid-response. All aiohttp versions up to and including 3.14.0 fail to invoke Payload.close() when a write is interrupted by a client disconnection, exception, or asyncio task cancellation, leaving file handles and similar OS-level resources open until Python's garbage collector intervenes. No public exploit code exists and no active exploitation has been confirmed; however, the attack requires no authentication, no special configuration, and is straightforward to automate against any endpoint serving file-backed responses. The advisory's 'Information Disclosure' tag appears inconsistent with the actual impact, which is purely availability (transient resource starvation).
Technical ContextAI
aiohttp is an async HTTP client/server framework for Python, distributed via pip (CPE: pkg:pip/aiohttp). The flaw resides in aiohttp/web_response.py within the write_eof() coroutine of the Response class. Before the fix, the method called await self._body.write(self._payload_writer) sequentially followed by await self._body.close(). If write() raised any exception - most commonly ConnectionResetError when a TCP client disconnected mid-transfer - or if the enclosing asyncio Task was cancelled (e.g., request timeout), Python's exception propagation caused execution to bypass close(), leaving any OS resource held by the Payload (e.g., an open file descriptor) unreleased. This is a textbook CWE-404 (Improper Resource Shutdown or Release): the cleanup path was conditional on the happy path rather than guaranteed. The commit diff at a762eda5242f6490d6ba667533193f8b473ad587 shows the fix as a minimal two-line change: wrapping write() in a try block with close() moved to a finally clause, ensuring the Payload lifecycle is always honored regardless of how write() terminates.
RemediationAI
Upgrade aiohttp to version 3.14.1 or later, which is the vendor-released patch and the only complete fix. The upstream change is at https://github.com/aio-libs/aiohttp/commit/a762eda5242f6490d6ba667533193f8b473ad587. For environments that cannot upgrade immediately, serving file content by reading it fully into memory before constructing a BytesPayload or StringPayload response eliminates the resource-leak vector entirely, at the cost of increased memory usage for large files. Applying rate-limiting per client IP on inbound connections reduces an attacker's ability to accumulate leaked file descriptors faster than GC reclaims them, though this is a mitigation rather than a fix. Monitoring the server process's open file descriptor count (e.g., via /proc/<pid>/fd on Linux) can provide early warning of exploitation attempts.
Same weakness CWE-404 – Improper Resource Shutdown or Release
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38316
GHSA-9x8q-7h8h-wcw9