aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup

Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS a zip bomb edge case. Workaround...

PT-2026-29606

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description Prior to version 3.13.4, AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, read the entire multipart form field into memory before checking the client max size limit. Thi...