aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
Description
Published to the GitHub Advisory Database
Apr 1, 2026
Reviewed
Apr 1, 2026
Published by the National Vulnerability Database
Apr 1, 2026
Last updated
Apr 6, 2026
Summary
Insufficient restrictions in header/trailer handling could cause uncapped memory usage.
Impact
An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.
Patch: aio-libs/aiohttp@0c2e9da
References