Primary

Context

AIOHTTP Unbounded DNS Cache Vulnerability Leading to Denial-of-Service

Vulnerability

Patched

A denial-of-service vulnerability has been identified in AIOHTTP, an asynchronous HTTP client/server framework for Python. Prior to version 3.13.4, the DNS cache in TCPConnector was unbounded, allowing it to grow excessively with requests to many different hosts. This could lead to high memory usage and potentially cause the application to hang or crash.

Impact

Exploitation of this vulnerability could cause excessive memory consumption, leading to a denial-of-service condition where the application becomes unresponsive or crashes.

Reproduction

The vulnerability can be reproduced by using AIOHTTP versions through 3.13.3 and making requests to a large number of different hosts. This will cause the DNS cache to grow without limit, eventually consuming excessive amounts of memory.

Remediation

Users can upgrade to AIOHTTP version 3.13.4 or later, where this vulnerability has been patched.

Added: Apr 1, 2026, 9:56 PM

Updated: Apr 1, 2026, 9:56 PM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

2.5

exploitability

8.4

remediation

7.7

relevance

5.1

threat

4.8

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

2.5

exploitability

8.4

remediation

7.7

relevance

5.1

threat

4.8

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

AIOHTTP Unbounded DNS Cache Vulnerability Leading to Denial-of-Service

Vulnerability

Impact

Reproduction

Remediation

Affected Products

aio-libs aiohttp

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating