CVE-2025-69229

EUVD-2026-1043
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
Affected Products (NVD)
VendorProductVersion
aiohttpaiohttp
𝑥
< 3.13.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-aiohttp
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
3.13.3-3
fixed
sid
3.13.3-3
fixed
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-aiohttp
bionic
Fixed 3.0.1-1ubuntu0.1~esm6
released
focal
Fixed 3.6.2-1ubuntu1+esm5
released
jammy
Fixed 3.8.1-4ubuntu0.2+esm2
released
noble
Fixed 3.9.1-1ubuntu0.1+esm2
released
plucky
ignored
questing
Fixed 3.11.16-1ubuntu0.1
released
xenial
ignored
Common Weakness Enumeration
References
https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq