Home

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3.

PUBLISHED Reserved 2025-12-29 | Published 2026-01-05 | Updated 2026-01-06 | Assigner GitHub_M




MEDIUM: 6.6CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

< 3.13.3
affected

References

github.com/...iohttp/security/advisories/GHSA-g84x-mcqj-x9qq

github.com/...ommit/4ed97a4e46eaf61bd0f05063245f613469700229

github.com/...ommit/dc3170b56904bdf814228fae70a5501a42a6c712

cve.org (CVE-2025-69229)

nvd.nist.gov (CVE-2025-69229)

Download JSON