CVE-2025-69223

Published: 2026-01-05 22:15:53 | Last modified: 2026-01-14 19:11:08

HIGH CVSS 7.5

No EPSS data

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.

CVSS details

Severity: high
Score: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

This CVE is not currently listed in the EPSS dataset.

Show JSON

{
    "cve": {
        "id": "CVE-2025-69223",
        "cveTags": [],
        "metrics": {
            "cvssMetricV31": [
                {
                    "type": "Secondary",
                    "source": "security-advisories@github.com",
                    "cvssData": {
                        "scope": "UNCHANGED",
                        "version": "3.1",
                        "baseScore": 7.5,
                        "attackVector": "NETWORK",
                        "baseSeverity": "HIGH",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                        "integrityImpact": "NONE",
                        "userInteraction": "NONE",
                        "attackComplexity": "LOW",
                        "availabilityImpact": "HIGH",
                        "privilegesRequired": "NONE",
                        "confidentialityImpact": "NONE"
                    },
                    "impactScore": 3.6,
                    "exploitabilityScore": 3.9
                }
            ]
        },
        "published": "2026-01-05T22:15:53.017",
        "references": [
            {
                "url": "https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a",
                "tags": [
                    "Patch"
                ],
                "source": "security-advisories@github.com"
            },
            {
                "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg",
                "tags": [
                    "Vendor Advisory",
                    "Patch"
                ],
                "source": "security-advisories@github.com"
            }
        ],
        "vulnStatus": "Analyzed",
        "weaknesses": [
            {
                "type": "Primary",
                "source": "security-advisories@github.com",
                "description": [
                    {
                        "lang": "en",
                        "value": "CWE-409"
                    },
                    {
                        "lang": "en",
                        "value": "CWE-770"
                    }
                ]
            }
        ],
        "descriptions": [
            {
                "lang": "en",
                "value": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3."
            }
        ],
        "lastModified": "2026-01-14T19:11:07.500",
        "configurations": [
            {
                "nodes": [
                    {
                        "negate": false,
                        "cpeMatch": [
                            {
                                "criteria": "cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*",
                                "vulnerable": true,
                                "matchCriteriaId": "715B630E-B141-4247-A920-3FFBD8045A05",
                                "versionEndExcluding": "3.13.3"
                            }
                        ],
                        "operator": "OR"
                    }
                ]
            }
        ],
        "sourceIdentifier": "security-advisories@github.com"
    }
}