Request Smuggling Vulnerability in AIOHTTP Framework by Aio-libs
CVE-2025-69224

6.3MEDIUM

Key Information:

Vendor: Aio-libs
Status: Aiohttp
Vendor: CVE Published:; 5 January 2026

What is CVE-2025-69224?

The AIOHTTP framework, designed for asynchronous HTTP communication in Python, is susceptible to a request smuggling vulnerability. This issue arises in versions up to 3.13.2, particularly when handling non-ASCII characters. If installed in its pure Python version—without C extensions—or if AIOHTTP_NO_EXTENSIONS is enabled, attackers can exploit this vulnerability to bypass firewall or proxy protections. The problem has been resolved in versions released after 3.13.2.

Affected Version(s)

aiohttp < 3.13.3

References

https://github.com/aio-libs/aiohttp/security/advisories/G...

x_refsource_CONFIRM

https://github.com/aio-libs/aiohttp/commit/32677f2adfd907...

x_refsource_MISC

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 5, 2026
Vulnerability Reserved
Dec 29, 2025

CVE-2025-69224 Data

JSON