CVE-2026-54278

ADVISORY - github

Summary

During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk.

Impact

An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case).

Workaround

Disable compression if unable to upgrade.

Patch: https://github.com/aio-libs/aiohttp/commit/4f7480e474cccc6a8cc2c92ad3f17a31dedf8232

EPSS Score⁠: 0.00024 (0.072)

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-409⁠

Improper Handling of Highly Compressed Data (Data Amplification)

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.