CVE-2025-69223 — Improper Handling of Highly Compressed Data (Data Amplification) in Aiohttp

CWE-409 — Improper Handling of Highly Compressed Data (Data Amplification)CWE-770 — Allocation of Resources Without Limits or Throttling11 documents9 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 80.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Aio-libs Aiohttp Aiohttp

Timeline

PublishedJan 5

Latest updateApr 15

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDaiohttp/aiohttp< 3.13.3

▶PyPIaiohttp/aiohttp< 3.13.3

▶CVEListV5aio-libs/aiohttp< 3.13.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

VulDB

aio-libs aiohttp up to 3.13.2 data amplification (GHSA-6mq8-rvhq-8wgg / EUVD-2025-206229)↗2026-04-15

▶

OSV

python-aiohttp vulnerabilities↗2026-02-13

▶

OSV

CVE-2025-69223: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python↗2026-01-05

▶

OSV

AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb↗2026-01-05

▶

CVEList

AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb↗2026-01-05

▶

📋Vendor Advisories

Ubuntu

AIOHTTP vulnerabilities↗2026-02-13

▶

Red Hat

aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb↗2026-01-05

▶

Debian

CVE-2025-69223: python-aiohttp - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. ...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-69223 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶