Low severityOSV Advisory· Published Jan 5, 2026· Updated Jan 6, 2026
AIOHTTP's Unicode processing of header values could cause parsing discrepancies
CVE-2025-69224
Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. This issue is fixed in version 3.13.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aiohttpPyPI | < 3.13.3 | 3.13.3 |
Affected products
55- osv-coords54 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/airflow-2-bitnami-compatpkg:apk/chainguard/airflow-2-compatpkg:apk/chainguard/airflow-2-iamguarded-compatpkg:apk/chainguard/airflow-3pkg:apk/chainguard/apache-beam-python-3.11-sdkpkg:apk/chainguard/authentikpkg:apk/chainguard/authentik-go-serverpkg:apk/chainguard/awxpkg:apk/chainguard/checkovpkg:apk/chainguard/dask-kubernetespkg:apk/chainguard/gitlab-toolbox-ce-18.5pkg:apk/chainguard/gitlab-toolbox-ce-18.6pkg:apk/chainguard/kserve-storage-controllerpkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/open-webuipkg:apk/chainguard/py3.10-vllm-cuda-12.4pkg:apk/chainguard/py3.12-vllm-cuda-12.4pkg:apk/chainguard/py3.13-scanner-test-libraries-aiohttppkg:apk/chainguard/py3-cassandra-medusapkg:apk/chainguard/py3-cassandra-medusa-compatpkg:apk/chainguard/request-1276pkg:apk/wolfi/airflow-3pkg:apk/wolfi/checkovpkg:apk/wolfi/dask-kubernetespkg:apk/wolfi/kserve-storage-controllerpkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/open-webuipkg:apk/wolfi/py3-cassandra-medusapkg:apk/wolfi/py3-cassandra-medusa-compatpkg:pypi/aiohttppkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Brotli&distro=openSUSE%20Leap%2016.0pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP7pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/python-Brotli&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-Brotli&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2.11.0-r19+ 53 more
- (no CPE)range: < 2.11.0-r19
- (no CPE)range: < 2.11.0-r19
- (no CPE)range: < 2.11.0-r19
- (no CPE)range: < 2.11.0-r19
- (no CPE)range: < 3.2.0-r0
- (no CPE)range: < 2.70.0-r1
- (no CPE)range: < 2025.10.3-r3
- (no CPE)range: < 2025.10.3-r3
- (no CPE)range: < 24.6.1-r23
- (no CPE)range: < 3.2.499-r0
- (no CPE)range: < 2025.7.0-r4
- (no CPE)range: < 18.5.5-r0
- (no CPE)range: < 18.6.3-r0
- (no CPE)range: < 0.17.0-r2
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 0.6.43-r1
- (no CPE)range: < 0.16.0-r1
- (no CPE)range: < 0.16.0-r1
- (no CPE)range: < 0.0.1-r3
- (no CPE)range: < 0.26.0-r3
- (no CPE)range: < 0.26.0-r3
- (no CPE)range: < 0.27.0-r1
- (no CPE)range: < 3.2.0-r0
- (no CPE)range: < 3.2.499-r0
- (no CPE)range: < 2025.7.0-r4
- (no CPE)range: < 0.17.0-r2
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 0.6.43-r1
- (no CPE)range: < 0.26.0-r3
- (no CPE)range: < 0.26.0-r3
- (no CPE)range: < 3.13.3
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.11.16-160000.3.1
- (no CPE)range: < 3.13.3-1.1
- (no CPE)range: < 1.1.0-160000.3.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.6.0-150100.3.32.1
- (no CPE)range: < 3.6.0-150100.3.32.1
- (no CPE)range: < 3.6.0-150100.3.32.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.11.16-160000.3.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.11.16-160000.3.1
- (no CPE)range: < 1.1.0-160000.3.1
- (no CPE)range: < 1.1.0-160000.3.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-69f9-5gxw-wvc2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-69224ghsaADVISORY
- github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0ghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.