CVE-2025-69227

HIGH

Aiohttp < 3.13.3 - Infinite Loop

Title source: rule

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3.

References (2)

[Vendor Advisory] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23

[Patch] https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0006

EPSS Percentile 19.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-835

Status published

Products (2)

aiohttp/aiohttp < 3.13.3

pypi/aiohttp 0 - 3.13.3PyPI

Published Jan 06, 2026

Tracked Since Feb 18, 2026