CVE-2025-69223
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.
| CWE | CWE-409 CWE-770 |
| Vendor | aio-libs |
| Product | aiohttp |
| Published | Jan 5, 2026 |
| Last Updated | Jun 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for aio-libs aiohttp
Be the first to know when new high vulnerabilities affecting aio-libs aiohttp are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
aio-libs / aiohttp
< 3.13.3
References
github.com: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg github.com: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-69223 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2427456 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-69223.json access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1497 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1506 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3959 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1249 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3958 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3461 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3462 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1599 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1609 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:6308 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1596 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3960 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:6309 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3782 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:10184 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2106 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2695 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3713 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:19712