CVE-2025-69223 – AIOHTTP versions 3.13.2 and below are vulnerabl... (How to Fix)

📋 TL;DR

AIOHTTP versions 3.13.2 and below are vulnerable to a zip bomb denial-of-service attack. An attacker can send specially crafted compressed requests that cause excessive memory consumption when decompressed, potentially crashing the server. This affects any Python application using vulnerable AIOHTTP versions as an HTTP server.

💻 Affected Systems

Products:

aiohttp

Versions: All versions <= 3.13.2

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects AIOHTTP when used as a server, not as a client. All deployments with default settings are vulnerable.

📦 What is this software?

Aiohttp by Aiohttp

View all CVEs affecting Aiohttp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server outage due to memory exhaustion, causing service disruption and potential data loss in active sessions.

🟠

Likely Case

Temporary service degradation or server crashes requiring manual restart, impacting availability.

🟢

If Mitigated

Minimal impact with proper request size limits and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests with compressed payloads. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.13.3

Vendor Advisory: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg

Restart Required: Yes

Instructions:

1. Update aiohttp: pip install --upgrade aiohttp==3.13.3
2. Restart all services using aiohttp
3. Verify the new version is active

🔧 Temporary Workarounds

Limit request body size

all

Configure AIOHTTP to reject large compressed requests before decompression

client_max_size = 1024 * 1024  # 1MB limit in your aiohttp app configuration

Disable request compression

all

Prevent AIOHTTP from accepting compressed request bodies

app = web.Application(client_max_size=0)

🧯 If You Can't Patch

Implement reverse proxy with request size limits (e.g., nginx client_max_body_size)
Deploy rate limiting and WAF rules to block suspicious compressed requests

🔍 How to Verify

Check if Vulnerable:

Check aiohttp version: python -c "import aiohttp; print(aiohttp.__version__)"

Check Version:

python -c "import aiohttp; print(aiohttp.__version__)"

Verify Fix Applied:

Confirm version is 3.13.3 or higher using the same command

📡 Detection & Monitoring

Log Indicators:

Sudden memory spikes
Server crashes with memory errors
Unusually large request sizes in access logs

Network Indicators:

HTTP requests with Content-Encoding: gzip/deflate and large compressed payloads
Rapid consecutive compressed requests from single source

SIEM Query:

source="aiohttp" AND ("MemoryError" OR "out of memory" OR "Killed")

📊 Metadata

CVE ID: CVE-2025-69223

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-409

EPSS Score: 0.06% exploit probability (18.8th percentile)

Published: January 5, 2026

Last Updated: January 14, 2026

🔗 References

https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a Patch
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg Vendor Advisory,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69223, you might also want to check these: