Moderate severityOSV Advisory· Published Jan 5, 2026· Updated Jan 6, 2026
AIOHTTP vulnerable to denial of service through large payloads
CVE-2025-69228
Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aiohttpPyPI | < 3.13.3 | 3.13.3 |
Affected products
1Patches
1b7dbd35375aeEnforce client_max_size over entire multipart form (#11889) (#11908)
2 files changed · +3 −3
aiohttp/web_request.py+1 −1 modified@@ -721,9 +721,9 @@ async def post(self) -> "MultiDictProxy[Union[str, bytes, FileField]]": multipart = await self.multipart() max_size = self._client_max_size + size = 0 field = await multipart.next() while field is not None: - size = 0 field_ct = field.headers.get(hdrs.CONTENT_TYPE) if isinstance(field, BodyPartReader):
tests/test_web_functional.py+2 −2 modified@@ -1705,8 +1705,8 @@ async def handler(request): await resp.release() -async def test_app_max_client_size_adjusted(aiohttp_client) -> None: - async def handler(request): +async def test_app_max_client_size_adjusted(aiohttp_client: AiohttpClient) -> None: + async def handler(request: web.Request) -> web.Response: await request.post() return web.Response(body=b"ok")
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-6jhg-hg63-jvvfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-69228ghsaADVISORY
- github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60ghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.