Zip Bomb Vulnerability in AIOHTTP Framework by aio-libs
CVE-2025-69223

7.5HIGH

Key Information:

Vendor: Aio-libs
Status: Aiohttp
Vendor: CVE Published:; 5 January 2026

What is CVE-2025-69223?

The AIOHTTP framework versions 3.13.2 and below are susceptible to a zip bomb vulnerability. This issue allows an attacker to send a specially crafted compressed request that, when decompressed, can significantly drain the host's memory resources, potentially leading to a denial of service (DoS). The vulnerability has been resolved in version 3.13.3, underscoring the importance of timely updates to protect systems from exploitation.

Affected Version(s)

aiohttp < 3.13.3

References

https://github.com/aio-libs/aiohttp/security/advisories/G...

x_refsource_CONFIRM

https://github.com/aio-libs/aiohttp/commit/2b920c39002cee...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 5, 2026
Vulnerability Reserved
Dec 29, 2025

CVE-2025-69223 Data

JSON

Aio-libs

What is CVE-2025-69223?

Affected Version(s)

References

CVSS V3.1

Timeline