EUVD-2026-29440

multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception...

GHSA-3WQ7-RQQ7-WX6J AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

Summary For some multipart form fields, aiohttp read the entire field into memory before checking clientmaxsize. Impact If an application uses Request.post an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimate...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Request.post function. An attacker can cause excessive memory allocation by sending a specially crafted multipart request containing large non-file fields. Remediation Upgrade...

EUVD-2026-18041

AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS...

AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

Summary For some multipart form fields, aiohttp read the entire field into memory before checking clientmaxsize. Impact If an application uses Request.post an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimate...

CVE-2026-34517

CVE-2026-34517 (AIOHTTP) affects the AIOHTTP Python library. Before version 3.13.4, some multipart form fields caused the library to read the entire field into memory before enforcing the request size limit (client_max_size), creating a potential memory-based denial of service. The issue has been...

PT-2026-29606

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description Prior to version 3.13.4, AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, read the entire multipart form field into memory before checking the client max size limit. Thi...

aiohttp 安全漏洞

Aiohttp is an open-source framework developed by aio-libs, used for asynchronous HTTP client/server interactions with asyncio and Python. Versions of AIOHTTP prior to 3.13.4 contained security vulnerabilities. These vulnerabilities stemmed from a flaw in aiohttp’s handling of certain multipart fo...

SUSE CVE-2023-41835

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fi...

GHSA-8F6X-V685-G2XC Apache Struts vulnerable to memory exhaustion

Denial of service via out of memory OOM owing to not properly checking of list bounds. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to OOM if developer has set struts.multipart.maxSize to a...