CVE-2024-30251 HIGH

CVE-2024-30251: Denial of service when trying to parse malformed POST requests in aiohttp

Vendor Aio-Libs

Product aiohttp

Weakness CWE-835

Published May 2, 2024

Last update November 3, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. Users are advised to upgrade. Users unable to upgrade may manually apply a patch to their systems. Please see the linked GHSA for instructions.

Key dates

02Disclosure timeline

May 2, 2024 CVE published

November 3, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-30251

Related vulnerabilities

CVE-2024-30251: Denial of service when trying to parse malformed POST requests in aiohttp

01Description

02Disclosure timeline

03References

04Related CVE