CVE-2025-69223

EUVD-2025-206229
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.
Data Amplification
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
Affected Products (NVD)
VendorProductVersion
aiohttpaiohttp
𝑥
< 3.13.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-aiohttp
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
3.13.3-3
fixed
sid
3.13.3-3
fixed
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-aiohttp
bionic
needed
focal
needed
jammy
needed
noble
needed
plucky
ignored
questing
Fixed 3.11.16-1ubuntu0.1
released
xenial
needed
Common Weakness Enumeration
References
https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg