Medium severity6.6GHSA Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

aiohttp: HTTP/1 Pipelined Requests Queue Without Limit

CVE-2026-54273

Description

Summary

No limit was present on the number of pipelined requests that could be queued.

Impact

An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/dfdfa9d5aad5d21f91c79fb2ceeba0f8046cb6cf

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Aio Libs/AiohttpGHSA
Range: <= 3.14.0
osv-coords9 versions
pkg:apk/chainguard/authentik-2026.2 pkg:apk/chainguard/authentik-fips-2026.2 pkg:apk/chainguard/metaflow-service-fips pkg:apk/chainguard/mlflow pkg:apk/chainguard/mlflow-fips pkg:apk/chainguard/text-generation-inference pkg:apk/chainguard/tritonserver-backend-vllm-cuda-13.0 pkg:apk/wolfi/mlflow pkg:pypi/aiohttp
< 2026.2.4-r4+ 8 more
- (no CPE)range: < 2026.2.4-r4
- (no CPE)range: < 2026.2.4-r3
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 3.13.0-r1
- (no CPE)range: < 3.13.0-r1
- (no CPE)range: < 3.3.7-r16
- (no CPE)range: < 25.11-r9
- (no CPE)range: < 3.13.0-r1
- (no CPE)range: < 3.14.1

Patches

Vulnerability mechanics

Root cause

"No limit was placed on the number of parsed-but-unhandled pipelined HTTP/1.1 requests buffered per connection, allowing an attacker to accumulate an unbounded backlog and exhaust server memory."

Attack vector

An attacker opens a single HTTP/1.1 connection to the server and sends a slow handler request followed by a large number of pipelined requests. While the server processes the first request, the pipelined requests accumulate in an internal queue without any bound. By keeping one handler busy (e.g., with a slow endpoint), the attacker can cause the queue to grow unboundedly, consuming excessive memory on the server and potentially leading to a denial of service.

What the fix does

The patch introduces a configurable `MAX_MSG_QUEUE_SIZE` (default 32) in `aiohttp/web_protocol.py`. When the number of parsed-but-unhandled pipelined requests reaches this limit, `data_received()` calls `_pause_msg_queue_reading()`, which pauses the underlying transport. As the request handler drains messages in `start()`, it calls `parser.message_consumed()` to free a slot and, once the queue drops to the low-water mark (`MAX_MSG_QUEUE_SIZE // 2`), calls `_resume_msg_queue_reading()` to reparse buffered data and resume the transport. This bounds the per-connection memory a client can pin by pipelining behind a busy handler.

Preconditions

networkThe attacker must be able to open an HTTP/1.1 connection to the server and send pipelined requests.
configThe server must have at least one handler that takes long enough to process that pipelined requests can accumulate.

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

Aiohttp: Nine CVEs Disclosed in a Single Day, Five Memory-Exhaustion DoS Flaws
Vypr Intelligence · Jun 15, 2026

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000