CVE-2026-54277: aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines

June 15, 2026

It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser.

References

github.com/advisories/GHSA-63hw-fmq6-xxg2
github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d
github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2
nvd.nist.gov/vuln/detail/CVE-2026-54277

Code Behaviors & Features

Detect and mitigate CVE-2026-54277 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →