Sam Bull

29 exploits Active since Jul 2023
CVE-2025-69227 WRITEUP HIGH WRITEUP
aiohttp < 3.13.3 - Denial of Service via POST Body Processing
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3.
CVSS 7.5
CVE-2025-69228 WRITEUP HIGH WRITEUP
aiohttp < 3.13.3 - Denial of Service via Request.post() Memory Exhaustion
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3.
CVSS 7.5
CVE-2025-69229 WRITEUP MEDIUM WRITEUP
aiohttp < 3.13.3 - Denial of Service via Chunked Message Handling
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3.
CVSS 5.3
CVE-2025-69230 WRITEUP MEDIUM WRITEUP
aiohttp < 3.13.3 - Logging of Excessive Data via Cookie Header
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. This issue is fixed in 3.13.3.
CVSS 5.3