CVE-2025-69228

EUVD-2026-1044
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
Affected Products (NVD)
VendorProductVersion
aiohttpaiohttp
𝑥
< 3.13.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-aiohttp
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
3.13.3-3
fixed
sid
3.13.3-3
fixed
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-aiohttp
bionic
Fixed 3.0.1-1ubuntu0.1~esm6
released
focal
Fixed 3.6.2-1ubuntu1+esm5
released
jammy
Fixed 3.8.1-4ubuntu0.2+esm2
released
noble
Fixed 3.9.1-1ubuntu0.1+esm2
released
plucky
ignored
questing
Fixed 3.11.16-1ubuntu0.1
released
xenial
ignored
Common Weakness Enumeration
References
https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf