CVE-2025-69227

EUVD-2026-1045

06.01.2026, 00:15

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3.

Infinite Loop

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Affected Products (NVD)

Vendor	Product	Version
aiohttp	aiohttp	𝑥 < 3.13.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-aiohttp

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	3.13.3-3 fixed
sid	3.13.3-3 fixed
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

python-aiohttp

bionic	ignored
focal	Fixed 3.6.2-1ubuntu1+esm5 released
jammy	Fixed 3.8.1-4ubuntu0.2+esm2 released
noble	Fixed 3.9.1-1ubuntu0.1+esm2 released
plucky	ignored
questing	Fixed 3.11.16-1ubuntu0.1 released
xenial	ignored

Common Weakness Enumeration

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

References

https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23