Jump to solution
Verify

aiohttp Aiohttp call to brotli is now incompatible with new brotli version (Fix)

Fixed
Spec
Package
aiohttp
Python
3.12
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.42
#11939 ai auth caching security Version Mismatch Updated: 2026-02-13
Issue #11939

The Fix

Updates the Brotli decompressor to ensure compatibility with the new Brotli version by adjusting the maximum output size parameter.

Based on closed aio-libs/aiohttp issue #11939 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@ +``Brotli`` and ``brotlicffi`` minimum version is now 1.2. +Decompression now has a default maximum output size of 32MiB per decompress call -- by :user:`Dreamsorcerer`. diff --git a/aiohttp/compression_utils.py b/aiohttp/compression_utils.py
repro.py
% mamba list | fgrep -i -e aiohttp -e brotli -e python aiohttp 3.13.3 py312h9f8c436_0 conda-forge brotli 1.1.0 h6caf38d_4 conda-forge brotli-bin 1.1.0 h6caf38d_4 conda-forge brotli-python 1.1.0 py312h6b01ec3_4 conda-forge libbrotlicommon 1.1.0 h6caf38d_4 conda-forge libbrotlidec 1.1.0 h6caf38d_4 conda-forge libbrotlienc 1.1.0 h6caf38d_4 conda-forge python 3.12.12 h18782d2_1_cpython conda-forge
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Apply the official fix\nUpdates the Brotli decompressor to ensure compatibility with the new Brotli version by adjusting the maximum output size parameter.\nWhen NOT to use: Do not use this fix if you rely on the previous behavior of the decompressor.\n\n

Why This Fix Works in Production

  • Trigger: chunk = self.decompressor.decompress_sync(
  • Mechanism: Aiohttp's decompressor incorrectly calls Brotli's process method with two arguments instead of one
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • Shows up under Python 3.12 in real deployments (not just unit tests).
  • Aiohttp's decompressor incorrectly calls Brotli's process method with two arguments instead of one
  • Surfaces as: Traceback (most recent call last):

Proof / Evidence

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“As per the changelog (and the speedups dependency pins), the minimum supported version is now 1.2. This is needed to resolve a security issue, hence…”
@Dreamsorcerer · 2026-01-09 · source
“Ahh this was just a versioning issue. Sorry for the noise.”
@rgeronimi · 2026-01-09 · source

Failure Signature (Search String)

  • chunk = self.decompressor.decompress_sync(

Error Message

Stack trace
error.txt
Error Message ------------- Traceback (most recent call last): File "/opt/homebrew/Cellar/micromamba/2.1.0/envs/standard/lib/python3.12/site-packages/aiohttp/http_parser.py", line 1030, in feed_data chunk = self.decompressor.decompress_sync( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/homebrew/Cellar/micromamba/2.1.0/envs/standard/lib/python3.12/site-packages/aiohttp/compression_utils.py", line 312, in decompress_sync return cast(bytes, self._obj.process(data, max_length)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ TypeError: process() takes exactly 1 argument (2 given)

Minimal Reproduction

repro.py
% mamba list | fgrep -i -e aiohttp -e brotli -e python aiohttp 3.13.3 py312h9f8c436_0 conda-forge brotli 1.1.0 h6caf38d_4 conda-forge brotli-bin 1.1.0 h6caf38d_4 conda-forge brotli-python 1.1.0 py312h6b01ec3_4 conda-forge libbrotlicommon 1.1.0 h6caf38d_4 conda-forge libbrotlidec 1.1.0 h6caf38d_4 conda-forge libbrotlienc 1.1.0 h6caf38d_4 conda-forge python 3.12.12 h18782d2_1_cpython conda-forge

Environment

  • Python: 3.12

What Broke

Application fails to decompress responses, leading to download failures for over 100,000 files.

Why It Broke

Aiohttp's decompressor incorrectly calls Brotli's process method with two arguments instead of one

Fix Options (Details)

Option A — Apply the official fix

Updates the Brotli decompressor to ensure compatibility with the new Brotli version by adjusting the maximum output size parameter.

When NOT to use: Do not use this fix if you rely on the previous behavior of the decompressor.

Fix reference: https://github.com/aio-libs/aiohttp/pull/11898

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • Do not use this fix if you rely on the previous behavior of the decompressor.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
  • Pin production dependencies and upgrade only with a reproducible test that hits the failing path.

Related Issues

No related fixes found.

Cluster: aiohttp:configuration-error All hubs All clusters
Related clusters: Data consistency Race condition Auth

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #11939. Not affiliated with the library maintainers. Verify before production use.