VYPR
High severityNVD Advisory· Published May 2, 2024· Updated Nov 3, 2025

Denial of service when trying to parse malformed POST requests in aiohttp

CVE-2024-30251

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. Users are advised to upgrade. Users unable to upgrade may manually apply a patch to their systems. Please see the linked GHSA for instructions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aiohttpPyPI
< 3.9.43.9.4

Affected products

43

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.