CVE-2025-69228

HIGH

Aiohttp < 3.13.3 - Resource Allocation Without Limits

Title source: rule

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3.

References (2)

Core 2

Core References

Vendor Advisory, Patch x_refsource_confirm

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf

Patch x_refsource_misc

https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0006

EPSS Percentile 19.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (2)

aiohttp/aiohttp < 3.13.3

pypi/aiohttp 0 - 3.13.3PyPI

Published Jan 06, 2026

Tracked Since Feb 18, 2026