Excessive CPU Blocking Vulnerability in AIOHTTP Framework by AIO Labs
CVE-2025-69229

6.6MEDIUM

Key Information:

Vendor

Aio-libs

Status
Aiohttp
Vendor
CVE Published:
5 January 2026

What is CVE-2025-69229?

A vulnerability in AIOHTTP versions 3.13.2 and earlier can lead to excessive CPU blocking when handling chunked HTTP messages. If an application leverages the request.read() method, an attacker might exploit this behavior, causing the server to spend significant time (approximately 1 second) processing requests. This could disrupt normal server operations, preventing it from handling other incoming requests effectively. The issue has been addressed in AIOHTTP version 3.13.3.

Affected Version(s)

aiohttp < 3.13.3

References

https://github.com/aio-libs/aiohttp/security/advisories/G...
x_refsource_CONFIRM
https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf6...
x_refsource_MISC
https://github.com/aio-libs/aiohttp/commit/dc3170b56904bd...
x_refsource_MISC

CVSS V4

Score:
6.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.