aiohttp Possible memory leak in the CookieJar (Fix)

The Fix

Fixes a memory leak in CookieJar.filter_cookies() that was causing unbounded memory growth when making requests to different URL paths. The issue was introduced in version 3.10.0.

Based on closed aio-libs/aiohttp issue #11052 · PR/commit linked

Jump to Verify Open PR/Commit

@@ -0,0 +1,2 @@
@@ -0,0 +1,2 @@
+Fixed memory leak in :py:meth:`~aiohttp.CookieJar.filter_cookies` that caused unbounded memory growth
+when making requests to different URL paths -- by :user:`bdraco` and :user:`Cycloctane`.
diff --git a/CHANGES/11054.bugfix.rst b/CHANGES/11054.bugfix.rst

repro.py

import asyncio 

async def do_test():
    from aiohttp import ClientSession
    from pprint import pprint

    async with ClientSession() as cs:
        for i in range(10):
            async with cs.get(f'http://httpbin.org/cookies/set/test/val{i}', allow_redirects=False) as r:
                print(f'{len(cs.cookie_jar._cookies)=}', end=' ')
                print(f'{r.headers["set-cookie"]=}')

        print('='*40)
        pprint(dict(cs.cookie_jar._cookies))

if __name__ == '__main__':
    asyncio.run(do_test())

verify

Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

fix.md

Option A — Apply the official fix\nFixes a memory leak in CookieJar.filter_cookies() that was causing unbounded memory growth when making requests to different URL paths. The issue was introduced in version 3.10.0.\nWhen NOT to use: Do not use this fix if your application relies on the previous behavior of cookie handling.\n\n

Why This Fix Works in Production

Trigger: Possible memory leak in the CookieJar
Mechanism: The filter_cookies() method was creating empty cookie entries for every domain-path combination checked

Production impact:

If left unfixed, this can cause silent data inconsistencies that propagate (bad cache entries, incorrect downstream decisions).

Why This Breaks in Prod

The filter_cookies() method was creating empty cookie entries for every domain-path combination checked
Production symptom (often without a traceback): Possible memory leak in the CookieJar

Proof / Evidence

GitHub issue: #11052
Fix PR: https://github.com/aio-libs/aiohttp/pull/11054
Reproduced locally: No (not executed)
Last verified: 2026-02-09
Confidence: 0.70
Did this fix it?: Yes (upstream fix exists)
Own content ratio: 0.62

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub

“filter_cookies() is creating empty entries when enumerating domain-path combinations in self._cookie defaultdict. https://github.com/aio-libs/aiohttp/blob/c50f332db3cec7614afb2216e916b25e5b38afb9/aiohttp/cookiejar.py#L352-L358”

@Cycloctane · 2025-05-28 · source

“Hmm, we started tracking the paths for cookies properly in 3.9: https://github.com/aio-libs/aiohttp/pull/6638 Though, as you say, the Path appears to be /, so it looks…”

@Dreamsorcerer · 2025-05-27 · source

Failure Signature (Search String)

Possible memory leak in the CookieJar
```python-traceback

Copy-friendly signature

signature.txt

Failure Signature
-----------------
Possible memory leak in the CookieJar
```python-traceback

Error Message

Signature-only (no traceback captured)

error.txt

Error Message
-------------
Possible memory leak in the CookieJar
```python-traceback

Minimal Reproduction

repro.py

import asyncio 

async def do_test():
    from aiohttp import ClientSession
    from pprint import pprint

    async with ClientSession() as cs:
        for i in range(10):
            async with cs.get(f'http://httpbin.org/cookies/set/test/val{i}', allow_redirects=False) as r:
                print(f'{len(cs.cookie_jar._cookies)=}', end=' ')
                print(f'{r.headers["set-cookie"]=}')

        print('='*40)
        pprint(dict(cs.cookie_jar._cookies))

if __name__ == '__main__':
    asyncio.run(do_test())

What Broke

Memory usage increases indefinitely when making requests with aiohttp ClientSession to a server that sets cookies.

Why It Broke

The filter_cookies() method was creating empty cookie entries for every domain-path combination checked

Fix Options (Details)

Option A — Apply the official fix

Fixes a memory leak in CookieJar.filter_cookies() that was causing unbounded memory growth when making requests to different URL paths. The issue was introduced in version 3.10.0.

When NOT to use: Do not use this fix if your application relies on the previous behavior of cookie handling.

Fix reference: https://github.com/aio-libs/aiohttp/pull/11054

Last verified: 2026-02-09. Validate in your environment.

When NOT to Use This Fix

Do not use this fix if your application relies on the previous behavior of cookie handling.

Verify Fix

verify

Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

Track RSS + object counts after deployments; alert on monotonic growth and GC pressure.
Add a long-running test that repeats the failing call path and asserts stable memory.

Related Issues

No related fixes found.

Cluster: aiohttp:data-consistency All hubs All clusters

Related clusters: Configuration error Race condition Auth

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.