python · aiohttpHeads-up

aiohttp: zip bomb DoS via compressed request body decompression

A security advisory was published for aiohttp: during cleanup, a compressed request body can be decompressed into memory in one chunk, potentially leading to a

16 Jun 2026Read 1 minSeverity: schedule it

What changed

A security advisory was published for aiohttp: during cleanup, a compressed request body can be decompressed into memory in one chunk, potentially leading to a zip bomb edge case DoS.

Who it affects

Users of aiohttp who accept compressed request bodies.

What to do today

Upgrade to the patched version or disable compression as a workaround.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · aiohttp

aiohttp: zip bomb DoS via compressed request body decompression

What changed

Who it affects

What to do today

More on aiohttp

pyjwt: Unbounded JWKS fetch on unknown kid and cache wipe on network error

PyJWT algorithm allow-list bypass with PyJWK keys