Skip to content

Payload Response Resources Are Not Closed After Mid-Body Disconnect

Low
Dreamsorcerer published GHSA-9x8q-7h8h-wcw9 Jun 8, 2026

Package

pip aiohttp (pip)

Affected versions

<=3.14.0

Patched versions

3.14.1

Description

Summary

Payload resources are not closed correctly when a client disconnects in the middle of a write.

Impact

If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file.


Patch: a762eda

Severity

Low

CVE ID

CVE-2026-54280

Weaknesses

No CWEs

Credits