CVE-2025-69223
EUVD-2025-20622905.01.2026, 22:15
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| aiohttp | aiohttp | 𝑥 < 3.13.3 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
openSUSE / SLES Releases
Common Weakness Enumeration
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
- CWE-770 - Allocation of Resources Without Limits or ThrottlingThe software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
References