CVE-2025-69223
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| aio-libs | aiohttp | < 3.13.3 | affected |
Weaknesses
- CWE-409: CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
- CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
aiohttp: AIOHTTP’s HTTP Parser auto_decompress feature is vulnerable to zip bomb
Additional References
- https://access.redhat.com/security/cve/CVE-2025-69223
- https://bugzilla.redhat.com/show_bug.cgi?id=2427456
- https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-69223.json
- https://access.redhat.com/errata/RHSA-2026:1497
- https://access.redhat.com/errata/RHSA-2026:1506
- https://access.redhat.com/errata/RHSA-2026:3959
- https://access.redhat.com/errata/RHSA-2026:1249
- https://access.redhat.com/errata/RHSA-2026:3958
- https://access.redhat.com/errata/RHSA-2026:3461
- https://access.redhat.com/errata/RHSA-2026:3462
- https://access.redhat.com/errata/RHSA-2026:1599
- https://access.redhat.com/errata/RHSA-2026:1609
- https://access.redhat.com/errata/RHSA-2026:6308
- https://access.redhat.com/errata/RHSA-2026:1596
- https://access.redhat.com/errata/RHSA-2026:3960
- https://access.redhat.com/errata/RHSA-2026:6309
- https://access.redhat.com/errata/RHSA-2026:3782
- https://access.redhat.com/errata/RHSA-2026:10184
- https://access.redhat.com/errata/RHSA-2026:2106
- https://access.redhat.com/errata/RHSA-2026:2695
- https://access.redhat.com/errata/RHSA-2026:3713
- https://access.redhat.com/errata/RHSA-2026:19712
References
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
- https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.