Request Smuggling Vulnerability in AIOHTTP Framework by aio-libs
CVE-2025-69225

2.7LOW

Key Information:

Vendor: Aio-libs
Status: Aiohttp
Vendor: CVE Published:; 5 January 2026

What is CVE-2025-69225?

The AIOHTTP framework, utilized for building asynchronous HTTP clients and servers in Python, contains a vulnerability in versions 3.13.2 and earlier. This flaw permits the inclusion of non-ASCII decimals in the Range header, potentially paving the way for a request smuggling attack. Although no direct impacts have been reported, this issue highlights the importance of keeping dependencies updated. The vulnerability has been addressed in version 3.13.3, providing users with a crucial upgrade path to enhance security. For additional information on this vulnerability, refer to the official advisory and commit notes.

Affected Version(s)

aiohttp < 3.13.3

References

https://github.com/aio-libs/aiohttp/security/advisories/G...

x_refsource_CONFIRM

https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71...

x_refsource_MISC

CVSS V4

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 5, 2026
Vulnerability Reserved
Dec 29, 2025

CVE-2025-69225 Data

JSON

Aio-libs

What is CVE-2025-69225?

Affected Version(s)

References

CVSS V4

Timeline