[<prev] [next>] [day] [month] [year] [list]
Message-ID: <401a17361111759bd1c222bb5e43f4f11815735e.camel@sambull.org>
Date: Mon, 05 Jan 2026 21:40:47 +0000
From: Sam Bull <9m199i@...bull.org>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in aiohttp
aiohttp is an async Python library providing both an HTTP client and a web framework.
These advisories primarily apply to users of the web framework.
We'd first like to thank Radically Open Security (particularly Thomas Rinsma) for
conducting a security audit. We'd also like to thank the NLnet foundation for funding the
audit and development work spent on fixing these issues. Also thanks to other reporters
and our regular sponsors.
All of the below issues have been fixed in version 3.13.3.
## (Severity: High) CVE-2025-69223 - aiohttp HTTP Parser auto_decompress feature
susceptible to zip bomb
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
### Summary
A zip bomb can be used to execute a DoS against the aiohttp server.
### Impact
An attacker may be able to send a compressed request that when decompressed by aiohttp
could exhaust the host's memory.
Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
## (Severity: High) CVE-2025-69228 - Denial of service through large payloads
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf
### Summary
A request can be crafted in such a way that an aiohttp server's memory fills up
uncontrollably during processing.
### Impact
If an application includes a handler that uses the `Request.post()` method, an attacker
may be able to freeze the server by exhausting the memory.
Patch: https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60
## (Severity: High) CVE-2025-69227 - DoS when bypassing asserts
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23
### Summary
When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack
when processing a POST body.
### Impact
If optimisations are enabled (`-O` or `PYTHONOPTIMIZE=1`), and the application includes a
handler that uses the `Request.post()` method, then an attacker may be able to execute a
DoS attack with a specially crafted message.
Patch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259
## (Severity: Medium) CVE-2025-69229 - DoS through chunked messages
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
### Summary
Handling of chunked messages can result in excessive blocking CPU usage when receiving a
large number of chunks.
### Impact
If an application makes use of the `request.read()` method in an endpoint, it may be
possible for an attacker to cause the server to spend a moderate amount of blocking CPU
time (e.g. 1 second) while processing the request. This could potentially lead to DoS as
the server would be unable to handle other requests during that time.
Patch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
Patch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
## (Severity: Low) CVE-2025-69230 - Cookie Parser Warning Storm
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-fh55-r93g-j68g
### Summary
Reading multiple invalid cookies can lead to a logging storm.
### Impact
If the ``cookies`` attribute is accessed in an application, then an attacker may be able
to trigger a storm of warning-level logs using a specially crafted Cookie header.
Patch: https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326
## (Severity: Low) CVE-2025-69226 - Brute-force leak of internal static file path
components
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76
### Summary
Path normalization for static files prevents path traversal, but opens up the ability for
an attacker to ascertain the existence of absolute path components.
### Impact
If an application uses `web.static()` (not recommended for production deployments), it may
be possible for an attacker to ascertain the existence of path components.
Patch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e
## (Severity: Low) CVE-2025-69224 - Unicode processing of header values could cause
parsing discrepancies
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2
### Summary
The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII
characters.
### Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or
AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request
smuggling attack to bypass certain firewalls or proxy protections.
Patch: https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0
## (Severity: Low) CVE-2025-69225 - Unicode match groups in regexes for ASCII protocol
elements
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x8
### Summary
The parser allows non-ASCII decimals to be present in the Range header.
### Impact
There is no known impact, but there is the possibility that there's a method to exploit a
request smuggling vulnerability.
Patch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96
Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
