Medium severity5.3NVD Advisory· Published Apr 1, 2026· Updated Apr 15, 2026

CVE-2026-34517

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
aiohttpPyPI	< 3.13.4	3.13.4

Affected products

Aiohttp/Aiohttp
cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Range: <3.13.4

Patches

cbb774f38330

[PR #12216/9cc4b917 backport][3.13] Check multipart max_size during iteration (#12229)

https://github.com/aio-libs/aiohttppatchback[bot]Mar 10, 2026via ghsa

commit

1 file changed · +14 −6

aiohttp/web_request.py+14 −6 modified

@@ -769,17 +769,25 @@ async def post(self) -> "MultiDictProxy[Union[str, bytes, FileField]]":
                         out.add(field.name, ff)
                     else:
                         # deal with ordinary data
-                        value = await field.read(decode=True)
+                        raw_data = bytearray()
+                        while chunk := await field.read_chunk():
+                            size += len(chunk)
+                            if 0 < max_size < size:
+                                raise HTTPRequestEntityTooLarge(
+                                    max_size=max_size, actual_size=size
+                                )
+                            raw_data.extend(chunk)
+
+                        value = bytearray()
+                        # form-data doesn't support compression, so don't need to check size again.
+                        async for d in field.decode_iter(raw_data):
+                            value.extend(d)
+
                         if field_ct is None or field_ct.startswith("text/"):
                             charset = field.get_charset(default="utf-8")
                             out.add(field.name, value.decode(charset))
                         else:
                             out.add(field.name, value)
-                        size += len(value)
-                        if 0 < max_size < size:
-                            raise HTTPRequestEntityTooLarge(
-                                max_size=max_size, actual_size=size
-                            )
                 else:
                     raise ValueError(
                         "To decode nested multipart you need to use custom reader",

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145nvdPatchWEB
github.com/aio-libs/aiohttp/security/advisories/GHSA-3wq7-rqq7-wx6jnvdPatchVendor AdvisoryWEB
github.com/advisories/GHSA-3wq7-rqq7-wx6jghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-34517ghsaADVISORY
github.com/aio-libs/aiohttp/releases/tag/v3.13.4nvdRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000