CVE-2025-69229
MEDIUMAiohttp < 3.13.3 - Resource Allocation Without Limits
Title source: ruleDescription
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
Patch x_refsource_misc
https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
Patch x_refsource_misc
https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
Scores
CVSS v3
5.3
EPSS
0.0005
EPSS Percentile
16.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (2)
aiohttp/aiohttp
< 3.13.3
pypi/aiohttp
0 - 3.13.3PyPI
Published
Jan 06, 2026
Tracked Since
Feb 18, 2026