CVE-2025-69223

EPSS 0.06%
Veröffentlicht 05.01.2026 22:00:17
Zuletzt bearbeitet 14.01.2026 19:11:07
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Aiohttp ≫ Aiohttp Version < 3.13.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.174

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg

Patch

Vendor Advisory

https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-69223

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-69223

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-69223

EUVD