aiohttp is an async Python library providing both an HTTP client and a web framework. These advisories primarily apply to users of the web framework.
We'd first like to thank Radically Open Security (particularly Thomas Rinsma) for conducting a security audit. We'd also like to thank the NLnet foundation for funding the audit and development work spent on fixing these issues. Also thanks to other reporters and our regular sponsors. All of the below issues have been fixed in version 3.13.3. ## (Severity: High) CVE-2025-69223 - aiohttp HTTP Parser auto_decompress feature susceptible to zip bomb https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg ### Summary A zip bomb can be used to execute a DoS against the aiohttp server. ### Impact An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory. Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a ## (Severity: High) CVE-2025-69228 - Denial of service through large payloads https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf ### Summary A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing. ### Impact If an application includes a handler that uses the `Request.post()` method, an attacker may be able to freeze the server by exhausting the memory. Patch: https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60 ## (Severity: High) CVE-2025-69227 - DoS when bypassing asserts https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23 ### Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. ### Impact If optimisations are enabled (`-O` or `PYTHONOPTIMIZE=1`), and the application includes a handler that uses the `Request.post()` method, then an attacker may be able to execute a DoS attack with a specially crafted message. Patch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259 ## (Severity: Medium) CVE-2025-69229 - DoS through chunked messages https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq ### Summary Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. ### Impact If an application makes use of the `request.read()` method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. Patch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712 Patch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229 ## (Severity: Low) CVE-2025-69230 - Cookie Parser Warning Storm https://github.com/aio-libs/aiohttp/security/advisories/GHSA-fh55-r93g-j68g ### Summary Reading multiple invalid cookies can lead to a logging storm. ### Impact If the ``cookies`` attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. Patch: https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326 ## (Severity: Low) CVE-2025-69226 - Brute-force leak of internal static file path components https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76 ### Summary Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components. ### Impact If an application uses `web.static()` (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. Patch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e ## (Severity: Low) CVE-2025-69224 - Unicode processing of header values could cause parsing discrepancies https://github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2 ### Summary The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Patch: https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0 ## (Severity: Low) CVE-2025-69225 - Unicode match groups in regexes for ASCII protocol elements https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x8 ### Summary The parser allows non-ASCII decimals to be present in the Range header. ### Impact There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. Patch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96
signature.asc
Description: This is a digitally signed message part
