CVE-2025-69223 - Vulnerability Details

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Aio-libs	Aiohttp Session
Aio-libs Project	Aiohttp
Aiohttp	Aio-libs Aiohttp

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Aio-libs	Aiohttp Session
Aio-libs Project	Aiohttp
Aiohttp	Aio-libs Aiohttp

References

Link	Providers
https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
https://nvd.nist.gov/vuln/detail/CVE-2025-69223
https://www.cve.org/CVERecord?id=CVE-2025-69223

History

Wed, 07 Jan 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-69223 https://www.cve.org/CVERecord?id=CVE-2025-69223
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 06 Jan 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 06 Jan 2026 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aio-libs Aio-libs aiohttp Session Aio-libs Project Aio-libs Project aiohttp Aiohttp Aiohttp aio-libs Aiohttp aiohttp
Vendors & Products		Aio-libs Aio-libs aiohttp Session Aio-libs Project Aio-libs Project aiohttp Aiohttp Aiohttp aio-libs Aiohttp aiohttp

Mon, 05 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.
Title		AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
Weaknesses		CWE-409 CWE-770
References		https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-05T22:00:17.715Z

Updated: 2026-01-06T19:04:01.249Z

Reserved: 2025-12-29T20:45:58.699Z

Link: CVE-2025-69223

Vulnrichment

Updated: 2026-01-06T14:26:19.595Z

NVD

Status : Received

Published: 2026-01-05T22:15:53.017

Modified: 2026-01-05T22:15:53.017

Link: CVE-2025-69223

Redhat

Severity : Important

Publid Date: 2026-01-05T22:00:17Z

Links: CVE-2025-69223 - Bugzilla

OpenCVE Enrichment

Updated: 2026-01-06T14:16:25Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object