Low severityOSV Advisory· Published Jan 5, 2026· Updated Jan 6, 2026

AIOHTTP Regex Mismatch Allows Unicode in ASCII-Only Protocol Fields

CVE-2025-69225

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
aiohttpPyPI	< 3.13.3	3.13.3

Affected products

Aio Libs/AiohttpOSV
Range: 0.15.2, 0.8.2, 1.3.0, …

Patches

c7b7a044f88c

[PR #11887/7a067d19 backport][3.13] Reject non-ascii digits in Range header (#11903)

https://github.com/aio-libs/aiohttppatchback[bot]Jan 3, 2026via ghsa

commit

2 files changed · +8 −1

aiohttp/web_request.py+1 −1 modified

@@ -607,7 +607,7 @@ def http_range(self) -> slice:
         if rng is not None:
             try:
                 pattern = r"^bytes=(\d*)-(\d*)$"
-                start, end = re.findall(pattern, rng)[0]
+                start, end = re.findall(pattern, rng, re.ASCII)[0]
             except IndexError:  # pattern was not found in header
                 raise ValueError("range not in acceptable format")

tests/test_web_request.py+7 −0 modified

@@ -244,6 +244,13 @@ def bytes_gen(size):
     assert req.content[req.http_range] == payload[-500:]
 
 
+def test_range_non_ascii() -> None:
+    # ५ = DEVANAGARI DIGIT FIVE
+    req = make_mocked_request("GET", "/", headers=CIMultiDict([("RANGE", "bytes=4-५")]))
+    with pytest.raises(ValueError, match="range not in acceptable format"):
+        req.http_range
+
+
 def test_non_keepalive_on_http10() -> None:
     req = make_mocked_request("GET", "/", version=HttpVersion(1, 0))
     assert not req.keep_alive

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-mqqc-3gqh-h2x8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-69225ghsaADVISORY
github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96ghsax_refsource_MISCWEB
github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x8ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000