Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/aiohttp@2.2.4
Typepypi
Namespace
Nameaiohttp
Version2.2.4
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.13.4
Latest_non_vulnerable_version4.0.0a0
Affected_by_vulnerabilities
0
url VCID-88cm-cxp9-ekgn
vulnerability_id VCID-88cm-cxp9-ekgn
summary aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21330.json
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21330.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21330
reference_id
reference_type
scores
0
value 0.00494
scoring_system epss
scoring_elements 0.65777
published_at 2026-04-18T12:55:00Z
1
value 0.00494
scoring_system epss
scoring_elements 0.65763
published_at 2026-04-16T12:55:00Z
2
value 0.00494
scoring_system epss
scoring_elements 0.65728
published_at 2026-04-13T12:55:00Z
3
value 0.00494
scoring_system epss
scoring_elements 0.65758
published_at 2026-04-12T12:55:00Z
4
value 0.00494
scoring_system epss
scoring_elements 0.65772
published_at 2026-04-11T12:55:00Z
5
value 0.00494
scoring_system epss
scoring_elements 0.65751
published_at 2026-04-09T12:55:00Z
6
value 0.00494
scoring_system epss
scoring_elements 0.65739
published_at 2026-04-08T12:55:00Z
7
value 0.00494
scoring_system epss
scoring_elements 0.65688
published_at 2026-04-07T12:55:00Z
8
value 0.00494
scoring_system epss
scoring_elements 0.65722
published_at 2026-04-04T12:55:00Z
9
value 0.00494
scoring_system epss
scoring_elements 0.65643
published_at 2026-04-01T12:55:00Z
10
value 0.00494
scoring_system epss
scoring_elements 0.65692
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21330
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21330
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21330
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst#374-2021-02-25
6
reference_url https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/commit/2545222a3853e31ace15d87ae0e2effb7da0c96b
7
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
8
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2021-76.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2021-76.yaml
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU7ENI54JNEK3PHEFGCE46DGMFNTVU6L
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU7ENI54JNEK3PHEFGCE46DGMFNTVU6L
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3V7CZJRT4QFCVXB6LDPCJH7NAOFCA5
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3V7CZJRT4QFCVXB6LDPCJH7NAOFCA5
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FU7ENI54JNEK3PHEFGCE46DGMFNTVU6L
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FU7ENI54JNEK3PHEFGCE46DGMFNTVU6L
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FU7ENI54JNEK3PHEFGCE46DGMFNTVU6L/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FU7ENI54JNEK3PHEFGCE46DGMFNTVU6L/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JN3V7CZJRT4QFCVXB6LDPCJH7NAOFCA5
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JN3V7CZJRT4QFCVXB6LDPCJH7NAOFCA5
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JN3V7CZJRT4QFCVXB6LDPCJH7NAOFCA5/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JN3V7CZJRT4QFCVXB6LDPCJH7NAOFCA5/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21330
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21330
16
reference_url https://pypi.org/project/aiohttp
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://pypi.org/project/aiohttp
17
reference_url https://pypi.org/project/aiohttp/
reference_id
reference_type
scores
url https://pypi.org/project/aiohttp/
18
reference_url https://security.gentoo.org/glsa/202208-19
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://security.gentoo.org/glsa/202208-19
19
reference_url https://www.debian.org/security/2021/dsa-4864
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-4864
20
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1933364
reference_id 1933364
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1933364
21
reference_url https://security.archlinux.org/AVG-1623
reference_id AVG-1623
reference_type
scores
0
value Low
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1623
22
reference_url https://github.com/advisories/GHSA-v6wp-4m6f-gcjg
reference_id GHSA-v6wp-4m6f-gcjg
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v6wp-4m6f-gcjg
23
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
24
reference_url https://usn.ubuntu.com/USN-5386-1/
reference_id USN-USN-5386-1
reference_type
scores
url https://usn.ubuntu.com/USN-5386-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.7.4
purl pkg:pypi/aiohttp@3.7.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bcuu-jvzt-6fhn
1
vulnerability VCID-bhkk-2b7c-wfgr
2
vulnerability VCID-d3pa-kwgz-vuag
3
vulnerability VCID-ft9z-nd6x-27dz
4
vulnerability VCID-jxqg-x9dh-z3hb
5
vulnerability VCID-k122-7d38-2ug5
6
vulnerability VCID-peyu-fxyx-ayde
7
vulnerability VCID-pmr9-w1fc-93cm
8
vulnerability VCID-pqus-ew4j-k7da
9
vulnerability VCID-qrus-4szm-c3bj
10
vulnerability VCID-sjws-ddnq-fke2
11
vulnerability VCID-t2aj-cszz-tyd7
12
vulnerability VCID-t9gx-etxx-vkgb
13
vulnerability VCID-tn28-662n-vug8
14
vulnerability VCID-ttq3-65ny-skdg
15
vulnerability VCID-ue33-na1g-rqa7
16
vulnerability VCID-vqvz-jfqh-jkaz
17
vulnerability VCID-zf8d-kxf1-sqds
18
vulnerability VCID-zm3a-mf2z-xfcm
19
vulnerability VCID-zrgm-47ph-x3g3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.7.4
aliases CVE-2021-21330, GHSA-v6wp-4m6f-gcjg, PYSEC-2021-76
risk_score 3.7
exploitability 0.5
weighted_severity 7.4
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-88cm-cxp9-ekgn
1
url VCID-bcuu-jvzt-6fhn
vulnerability_id VCID-bcuu-jvzt-6fhn
summary aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49081.json
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49081.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-49081
reference_id
reference_type
scores
0
value 0.00457
scoring_system epss
scoring_elements 0.63965
published_at 2026-04-18T12:55:00Z
1
value 0.00457
scoring_system epss
scoring_elements 0.63928
published_at 2026-04-04T12:55:00Z
2
value 0.00457
scoring_system epss
scoring_elements 0.63886
published_at 2026-04-07T12:55:00Z
3
value 0.00457
scoring_system epss
scoring_elements 0.63902
published_at 2026-04-02T12:55:00Z
4
value 0.00457
scoring_system epss
scoring_elements 0.6392
published_at 2026-04-13T12:55:00Z
5
value 0.00457
scoring_system epss
scoring_elements 0.63953
published_at 2026-04-12T12:55:00Z
6
value 0.00457
scoring_system epss
scoring_elements 0.63967
published_at 2026-04-11T12:55:00Z
7
value 0.00457
scoring_system epss
scoring_elements 0.63955
published_at 2026-04-16T12:55:00Z
8
value 0.00457
scoring_system epss
scoring_elements 0.63937
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-49081
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49081
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49081
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e
5
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
6
reference_url https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b
7
reference_url https://github.com/aio-libs/aiohttp/pull/7835/files
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/pull/7835/files
8
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2
9
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-250.yaml
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-250.yaml
10
reference_url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057163
reference_id 1057163
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057163
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2252235
reference_id 2252235
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2252235
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-49081
reference_id CVE-2023-49081
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-49081
16
reference_url https://github.com/advisories/GHSA-q3qx-c6g2-7pw2
reference_id GHSA-q3qx-c6g2-7pw2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q3qx-c6g2-7pw2
17
reference_url https://access.redhat.com/errata/RHSA-2024:1057
reference_id RHSA-2024:1057
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1057
18
reference_url https://access.redhat.com/errata/RHSA-2024:1878
reference_id RHSA-2024:1878
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1878
19
reference_url https://usn.ubuntu.com/7642-1/
reference_id USN-7642-1
reference_type
scores
url https://usn.ubuntu.com/7642-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.9.0
purl pkg:pypi/aiohttp@3.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bhkk-2b7c-wfgr
1
vulnerability VCID-d3pa-kwgz-vuag
2
vulnerability VCID-ft9z-nd6x-27dz
3
vulnerability VCID-jxqg-x9dh-z3hb
4
vulnerability VCID-k122-7d38-2ug5
5
vulnerability VCID-peyu-fxyx-ayde
6
vulnerability VCID-pqus-ew4j-k7da
7
vulnerability VCID-qrus-4szm-c3bj
8
vulnerability VCID-sjws-ddnq-fke2
9
vulnerability VCID-t9gx-etxx-vkgb
10
vulnerability VCID-tn28-662n-vug8
11
vulnerability VCID-vqvz-jfqh-jkaz
12
vulnerability VCID-zm3a-mf2z-xfcm
13
vulnerability VCID-zrgm-47ph-x3g3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.0
aliases CVE-2023-49081, GHSA-q3qx-c6g2-7pw2, PYSEC-2023-250
risk_score 3.2
exploitability 0.5
weighted_severity 6.5
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bcuu-jvzt-6fhn
2
url VCID-bhkk-2b7c-wfgr
vulnerability_id VCID-bhkk-2b7c-wfgr
summary 
aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
### Summary
An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.

### Impact
An attacker can stop the application from serving requests after sending a single request.

-------

For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in `_read_chunk_from_length()`):

```diff
diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
index 227be605c..71fc2654a 100644
--- a/aiohttp/multipart.py
+++ b/aiohttp/multipart.py
@@ -338,6 +338,8 @@ class BodyPartReader:
         assert self._length is not None, "Content-Length required for chunked read"
         chunk_size = min(size, self._length - self._read_bytes)
         chunk = await self._content.read(chunk_size)
+        if self._content.at_eof():
+            self._at_eof = True
         return chunk
 
     async def _read_chunk_from_stream(self, size: int) -> bytes:
```

This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:
https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19
https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597
https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30251.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30251.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-30251
reference_id
reference_type
scores
0
value 0.00359
scoring_system epss
scoring_elements 0.58159
published_at 2026-04-18T12:55:00Z
1
value 0.00359
scoring_system epss
scoring_elements 0.58128
published_at 2026-04-13T12:55:00Z
2
value 0.00359
scoring_system epss
scoring_elements 0.58147
published_at 2026-04-12T12:55:00Z
3
value 0.00359
scoring_system epss
scoring_elements 0.58171
published_at 2026-04-11T12:55:00Z
4
value 0.00359
scoring_system epss
scoring_elements 0.58155
published_at 2026-04-09T12:55:00Z
5
value 0.00359
scoring_system epss
scoring_elements 0.58097
published_at 2026-04-07T12:55:00Z
6
value 0.00359
scoring_system epss
scoring_elements 0.58123
published_at 2026-04-04T12:55:00Z
7
value 0.00359
scoring_system epss
scoring_elements 0.58101
published_at 2026-04-02T12:55:00Z
8
value 0.00359
scoring_system epss
scoring_elements 0.58151
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-30251
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-30251
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-30251
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/
url https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597
6
reference_url https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/
url https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19
7
reference_url https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/
url https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866
8
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84
9
reference_url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-30251
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-30251
11
reference_url http://www.openwall.com/lists/oss-security/2024/05/02/4
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/
url http://www.openwall.com/lists/oss-security/2024/05/02/4
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070364
reference_id 1070364
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070364
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2278710
reference_id 2278710
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2278710
14
reference_url https://github.com/advisories/GHSA-5m98-qgg9-wh84
reference_id GHSA-5m98-qgg9-wh84
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5m98-qgg9-wh84
15
reference_url https://security.gentoo.org/glsa/202408-11
reference_id GLSA-202408-11
reference_type
scores
url https://security.gentoo.org/glsa/202408-11
16
reference_url https://access.redhat.com/errata/RHSA-2024:3781
reference_id RHSA-2024:3781
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3781
17
reference_url https://access.redhat.com/errata/RHSA-2025:1335
reference_id RHSA-2025:1335
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1335
18
reference_url https://usn.ubuntu.com/7642-1/
reference_id USN-7642-1
reference_type
scores
url https://usn.ubuntu.com/7642-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.9.4
purl pkg:pypi/aiohttp@3.9.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d3pa-kwgz-vuag
1
vulnerability VCID-ft9z-nd6x-27dz
2
vulnerability VCID-k122-7d38-2ug5
3
vulnerability VCID-peyu-fxyx-ayde
4
vulnerability VCID-qrus-4szm-c3bj
5
vulnerability VCID-sjws-ddnq-fke2
6
vulnerability VCID-t9gx-etxx-vkgb
7
vulnerability VCID-vqvz-jfqh-jkaz
8
vulnerability VCID-zm3a-mf2z-xfcm
9
vulnerability VCID-zrgm-47ph-x3g3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.4
aliases CVE-2024-30251, GHSA-5m98-qgg9-wh84
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bhkk-2b7c-wfgr
3
url VCID-d3pa-kwgz-vuag
vulnerability_id VCID-d3pa-kwgz-vuag
summary 
AIOHTTP vulnerable to  denial of service through large payloads
### Summary
A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.

### Impact
If an application includes a handler that uses the `Request.post()` method, an attacker may be able to freeze the server by exhausting the memory.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69228.json
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69228.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69228
reference_id
reference_type
scores
0
value 0.00063
scoring_system epss
scoring_elements 0.19572
published_at 2026-04-18T12:55:00Z
1
value 0.00063
scoring_system epss
scoring_elements 0.19782
published_at 2026-04-02T12:55:00Z
2
value 0.00063
scoring_system epss
scoring_elements 0.19835
published_at 2026-04-04T12:55:00Z
3
value 0.00063
scoring_system epss
scoring_elements 0.19557
published_at 2026-04-07T12:55:00Z
4
value 0.00063
scoring_system epss
scoring_elements 0.19637
published_at 2026-04-08T12:55:00Z
5
value 0.00063
scoring_system epss
scoring_elements 0.19689
published_at 2026-04-09T12:55:00Z
6
value 0.00063
scoring_system epss
scoring_elements 0.19695
published_at 2026-04-11T12:55:00Z
7
value 0.00063
scoring_system epss
scoring_elements 0.19646
published_at 2026-04-12T12:55:00Z
8
value 0.00063
scoring_system epss
scoring_elements 0.19587
published_at 2026-04-13T12:55:00Z
9
value 0.00063
scoring_system epss
scoring_elements 0.19565
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69228
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69228
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69228
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:03Z/
url https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60
6
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:03Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69228
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69228
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427254
reference_id 2427254
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427254
9
reference_url https://github.com/advisories/GHSA-6jhg-hg63-jvvf
reference_id GHSA-6jhg-hg63-jvvf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6jhg-hg63-jvvf
10
reference_url https://access.redhat.com/errata/RHSA-2026:3782
reference_id RHSA-2026:3782
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3782
11
reference_url https://access.redhat.com/errata/RHSA-2026:5809
reference_id RHSA-2026:5809
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:5809
12
reference_url https://access.redhat.com/errata/RHSA-2026:6761
reference_id RHSA-2026:6761
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6761
13
reference_url https://access.redhat.com/errata/RHSA-2026:6762
reference_id RHSA-2026:6762
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6762
14
reference_url https://usn.ubuntu.com/8032-1/
reference_id USN-8032-1
reference_type
scores
url https://usn.ubuntu.com/8032-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.13.3
purl pkg:pypi/aiohttp@3.13.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-19q4-vzzb-8uca
1
vulnerability VCID-5f1f-mrwv-zucz
2
vulnerability VCID-cg9h-fysf-xygf
3
vulnerability VCID-dr2r-7qda-tfh5
4
vulnerability VCID-drqp-x9gc-2qd3
5
vulnerability VCID-g4rj-1kzy-pkft
6
vulnerability VCID-hyh4-58xy-xfge
7
vulnerability VCID-kf4p-q9n9-ayhn
8
vulnerability VCID-qt9z-6kwe-wbht
9
vulnerability VCID-tmjw-8cdt-7yf7
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3
aliases CVE-2025-69228, GHSA-6jhg-hg63-jvvf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d3pa-kwgz-vuag
4
url VCID-ft9z-nd6x-27dz
vulnerability_id VCID-ft9z-nd6x-27dz
summary 
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
### Summary

The parser allows non-ASCII decimals to be present in the Range header.

### Impact

There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.

----

Patch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69225.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69225.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69225
reference_id
reference_type
scores
0
value 0.00045
scoring_system epss
scoring_elements 0.13833
published_at 2026-04-18T12:55:00Z
1
value 0.00045
scoring_system epss
scoring_elements 0.14072
published_at 2026-04-02T12:55:00Z
2
value 0.00045
scoring_system epss
scoring_elements 0.14126
published_at 2026-04-04T12:55:00Z
3
value 0.00045
scoring_system epss
scoring_elements 0.13932
published_at 2026-04-07T12:55:00Z
4
value 0.00045
scoring_system epss
scoring_elements 0.14014
published_at 2026-04-08T12:55:00Z
5
value 0.00045
scoring_system epss
scoring_elements 0.14067
published_at 2026-04-09T12:55:00Z
6
value 0.00045
scoring_system epss
scoring_elements 0.14022
published_at 2026-04-11T12:55:00Z
7
value 0.00045
scoring_system epss
scoring_elements 0.13985
published_at 2026-04-12T12:55:00Z
8
value 0.00045
scoring_system epss
scoring_elements 0.13935
published_at 2026-04-13T12:55:00Z
9
value 0.00045
scoring_system epss
scoring_elements 0.13839
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69225
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69225
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69225
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:19Z/
url https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96
6
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x8
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:19Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x8
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69225
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69225
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427253
reference_id 2427253
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427253
9
reference_url https://github.com/advisories/GHSA-mqqc-3gqh-h2x8
reference_id GHSA-mqqc-3gqh-h2x8
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mqqc-3gqh-h2x8
10
reference_url https://usn.ubuntu.com/8032-1/
reference_id USN-8032-1
reference_type
scores
url https://usn.ubuntu.com/8032-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.13.3
purl pkg:pypi/aiohttp@3.13.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-19q4-vzzb-8uca
1
vulnerability VCID-5f1f-mrwv-zucz
2
vulnerability VCID-cg9h-fysf-xygf
3
vulnerability VCID-dr2r-7qda-tfh5
4
vulnerability VCID-drqp-x9gc-2qd3
5
vulnerability VCID-g4rj-1kzy-pkft
6
vulnerability VCID-hyh4-58xy-xfge
7
vulnerability VCID-kf4p-q9n9-ayhn
8
vulnerability VCID-qt9z-6kwe-wbht
9
vulnerability VCID-tmjw-8cdt-7yf7
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3
aliases CVE-2025-69225, GHSA-mqqc-3gqh-h2x8
risk_score 2.5
exploitability 0.5
weighted_severity 4.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ft9z-nd6x-27dz
5
url VCID-jxqg-x9dh-z3hb
vulnerability_id VCID-jxqg-x9dh-z3hb
summary aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23829.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23829.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-23829
reference_id
reference_type
scores
0
value 0.00515
scoring_system epss
scoring_elements 0.66588
published_at 2026-04-07T12:55:00Z
1
value 0.00515
scoring_system epss
scoring_elements 0.66617
published_at 2026-04-04T12:55:00Z
2
value 0.00515
scoring_system epss
scoring_elements 0.66674
published_at 2026-04-18T12:55:00Z
3
value 0.00515
scoring_system epss
scoring_elements 0.6659
published_at 2026-04-02T12:55:00Z
4
value 0.00515
scoring_system epss
scoring_elements 0.6666
published_at 2026-04-16T12:55:00Z
5
value 0.00515
scoring_system epss
scoring_elements 0.66624
published_at 2026-04-13T12:55:00Z
6
value 0.00515
scoring_system epss
scoring_elements 0.66657
published_at 2026-04-12T12:55:00Z
7
value 0.00515
scoring_system epss
scoring_elements 0.66669
published_at 2026-04-11T12:55:00Z
8
value 0.00515
scoring_system epss
scoring_elements 0.6665
published_at 2026-04-09T12:55:00Z
9
value 0.00515
scoring_system epss
scoring_elements 0.66636
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-23829
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23829
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23829
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-01T16:40:08Z/
url https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827
6
reference_url https://github.com/aio-libs/aiohttp/pull/3235
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/pull/3235
7
reference_url https://github.com/aio-libs/aiohttp/pull/8074
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-01T16:40:08Z/
url https://github.com/aio-libs/aiohttp/pull/8074
8
reference_url https://github.com/aio-libs/aiohttp/pull/8074/files
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/pull/8074/files
9
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-01T16:40:08Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
10
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
11
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-26.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-26.yaml
12
reference_url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-01T16:40:08Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-23829
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-23829
17
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062708
reference_id 1062708
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062708
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2261909
reference_id 2261909
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2261909
19
reference_url https://github.com/advisories/GHSA-8qpw-xqxj-h4r2
reference_id GHSA-8qpw-xqxj-h4r2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8qpw-xqxj-h4r2
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/
reference_id ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-01T16:40:08Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/
21
reference_url https://access.redhat.com/errata/RHSA-2024:1878
reference_id RHSA-2024:1878
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1878
22
reference_url https://usn.ubuntu.com/7642-1/
reference_id USN-7642-1
reference_type
scores
url https://usn.ubuntu.com/7642-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.9.2
purl pkg:pypi/aiohttp@3.9.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bhkk-2b7c-wfgr
1
vulnerability VCID-d3pa-kwgz-vuag
2
vulnerability VCID-ft9z-nd6x-27dz
3
vulnerability VCID-k122-7d38-2ug5
4
vulnerability VCID-peyu-fxyx-ayde
5
vulnerability VCID-qrus-4szm-c3bj
6
vulnerability VCID-sjws-ddnq-fke2
7
vulnerability VCID-t9gx-etxx-vkgb
8
vulnerability VCID-tn28-662n-vug8
9
vulnerability VCID-vqvz-jfqh-jkaz
10
vulnerability VCID-zm3a-mf2z-xfcm
11
vulnerability VCID-zrgm-47ph-x3g3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.2
aliases CVE-2024-23829, GHSA-8qpw-xqxj-h4r2, PYSEC-2024-26
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jxqg-x9dh-z3hb
6
url VCID-k122-7d38-2ug5
vulnerability_id VCID-k122-7d38-2ug5
summary 
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
### Summary
The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.

### Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

----

Patch: https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53643.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53643.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-53643
reference_id
reference_type
scores
0
value 0.00078
scoring_system epss
scoring_elements 0.23078
published_at 2026-04-07T12:55:00Z
1
value 0.00078
scoring_system epss
scoring_elements 0.23289
published_at 2026-04-04T12:55:00Z
2
value 0.00078
scoring_system epss
scoring_elements 0.23245
published_at 2026-04-02T12:55:00Z
3
value 0.00078
scoring_system epss
scoring_elements 0.23152
published_at 2026-04-08T12:55:00Z
4
value 0.00086
scoring_system epss
scoring_elements 0.24852
published_at 2026-04-18T12:55:00Z
5
value 0.00086
scoring_system epss
scoring_elements 0.24925
published_at 2026-04-09T12:55:00Z
6
value 0.00086
scoring_system epss
scoring_elements 0.24901
published_at 2026-04-12T12:55:00Z
7
value 0.00086
scoring_system epss
scoring_elements 0.2494
published_at 2026-04-11T12:55:00Z
8
value 0.00086
scoring_system epss
scoring_elements 0.24858
published_at 2026-04-16T12:55:00Z
9
value 0.00086
scoring_system epss
scoring_elements 0.24847
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-53643
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53643
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53643
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a
reference_id
reference_type
scores
0
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-15T14:43:18Z/
url https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a
6
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-15T14:43:18Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-53643
reference_id
reference_type
scores
0
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-53643
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109336
reference_id 1109336
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109336
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2380000
reference_id 2380000
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2380000
10
reference_url https://github.com/advisories/GHSA-9548-qrrj-x5pj
reference_id GHSA-9548-qrrj-x5pj
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9548-qrrj-x5pj
11
reference_url https://access.redhat.com/errata/RHSA-2025:22759
reference_id RHSA-2025:22759
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:22759
12
reference_url https://access.redhat.com/errata/RHSA-2025:22939
reference_id RHSA-2025:22939
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:22939
13
reference_url https://access.redhat.com/errata/RHSA-2025:22944
reference_id RHSA-2025:22944
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:22944
14
reference_url https://access.redhat.com/errata/RHSA-2025:23531
reference_id RHSA-2025:23531
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23531
15
reference_url https://access.redhat.com/errata/RHSA-2026:1249
reference_id RHSA-2026:1249
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:1249
16
reference_url https://access.redhat.com/errata/RHSA-2026:1506
reference_id RHSA-2026:1506
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:1506
17
reference_url https://access.redhat.com/errata/RHSA-2026:2760
reference_id RHSA-2026:2760
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2760
18
reference_url https://access.redhat.com/errata/RHSA-2026:3960
reference_id RHSA-2026:3960
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3960
fixed_packages
0
url pkg:pypi/aiohttp@3.12.14
purl pkg:pypi/aiohttp@3.12.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d3pa-kwgz-vuag
1
vulnerability VCID-ft9z-nd6x-27dz
2
vulnerability VCID-peyu-fxyx-ayde
3
vulnerability VCID-qrus-4szm-c3bj
4
vulnerability VCID-sjws-ddnq-fke2
5
vulnerability VCID-t9gx-etxx-vkgb
6
vulnerability VCID-vqvz-jfqh-jkaz
7
vulnerability VCID-zm3a-mf2z-xfcm
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.12.14
aliases CVE-2025-53643, GHSA-9548-qrrj-x5pj
risk_score 1.6
exploitability 0.5
weighted_severity 3.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k122-7d38-2ug5
7
url VCID-peyu-fxyx-ayde
vulnerability_id VCID-peyu-fxyx-ayde
summary 
AIOHTTP vulnerable to DoS through chunked messages
### Summary

Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.

### Impact

If an application makes use of the `request.read()` method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
Patch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69229.json
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69229.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69229
reference_id
reference_type
scores
0
value 0.00052
scoring_system epss
scoring_elements 0.16223
published_at 2026-04-18T12:55:00Z
1
value 0.00052
scoring_system epss
scoring_elements 0.16204
published_at 2026-04-16T12:55:00Z
2
value 0.00052
scoring_system epss
scoring_elements 0.16268
published_at 2026-04-13T12:55:00Z
3
value 0.00052
scoring_system epss
scoring_elements 0.16336
published_at 2026-04-12T12:55:00Z
4
value 0.00052
scoring_system epss
scoring_elements 0.16391
published_at 2026-04-02T12:55:00Z
5
value 0.00052
scoring_system epss
scoring_elements 0.16392
published_at 2026-04-09T12:55:00Z
6
value 0.00052
scoring_system epss
scoring_elements 0.16328
published_at 2026-04-08T12:55:00Z
7
value 0.00052
scoring_system epss
scoring_elements 0.16243
published_at 2026-04-07T12:55:00Z
8
value 0.00052
scoring_system epss
scoring_elements 0.16454
published_at 2026-04-04T12:55:00Z
9
value 0.00052
scoring_system epss
scoring_elements 0.16375
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69229
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69229
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69229
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:24:45Z/
url https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
6
reference_url https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:24:45Z/
url https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
7
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:24:45Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69229
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69229
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427257
reference_id 2427257
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427257
10
reference_url https://github.com/advisories/GHSA-g84x-mcqj-x9qq
reference_id GHSA-g84x-mcqj-x9qq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g84x-mcqj-x9qq
11
reference_url https://usn.ubuntu.com/8032-1/
reference_id USN-8032-1
reference_type
scores
url https://usn.ubuntu.com/8032-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.13.3
purl pkg:pypi/aiohttp@3.13.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-19q4-vzzb-8uca
1
vulnerability VCID-5f1f-mrwv-zucz
2
vulnerability VCID-cg9h-fysf-xygf
3
vulnerability VCID-dr2r-7qda-tfh5
4
vulnerability VCID-drqp-x9gc-2qd3
5
vulnerability VCID-g4rj-1kzy-pkft
6
vulnerability VCID-hyh4-58xy-xfge
7
vulnerability VCID-kf4p-q9n9-ayhn
8
vulnerability VCID-qt9z-6kwe-wbht
9
vulnerability VCID-tmjw-8cdt-7yf7
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3
aliases CVE-2025-69229, GHSA-g84x-mcqj-x9qq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-peyu-fxyx-ayde
8
url VCID-pmr9-w1fc-93cm
vulnerability_id VCID-pmr9-w1fc-93cm
summary aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-47627.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-47627.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-47627
reference_id
reference_type
scores
0
value 0.0026
scoring_system epss
scoring_elements 0.49271
published_at 2026-04-02T12:55:00Z
1
value 0.0026
scoring_system epss
scoring_elements 0.49342
published_at 2026-04-18T12:55:00Z
2
value 0.0026
scoring_system epss
scoring_elements 0.49346
published_at 2026-04-16T12:55:00Z
3
value 0.0026
scoring_system epss
scoring_elements 0.49298
published_at 2026-04-13T12:55:00Z
4
value 0.0026
scoring_system epss
scoring_elements 0.49295
published_at 2026-04-12T12:55:00Z
5
value 0.0026
scoring_system epss
scoring_elements 0.49321
published_at 2026-04-11T12:55:00Z
6
value 0.0026
scoring_system epss
scoring_elements 0.49303
published_at 2026-04-09T12:55:00Z
7
value 0.0026
scoring_system epss
scoring_elements 0.49252
published_at 2026-04-07T12:55:00Z
8
value 0.0026
scoring_system epss
scoring_elements 0.49307
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-47627
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47627
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47627
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-10T19:22:18Z/
url https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d
6
reference_url https://github.com/aio-libs/aiohttp/releases/tag/v3.8.6
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/releases/tag/v3.8.6
7
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-10T19:22:18Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
8
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-246.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-246.yaml
9
reference_url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQYQL6WV535EEKSNH7KRARLLMOW5WXDM
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQYQL6WV535EEKSNH7KRARLLMOW5WXDM
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2249825
reference_id 2249825
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2249825
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-47627
reference_id CVE-2023-47627
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-47627
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U/
reference_id FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-10T19:22:18Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U/
16
reference_url https://github.com/advisories/GHSA-gfw2-4jvh-wgfg
reference_id GHSA-gfw2-4jvh-wgfg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gfw2-4jvh-wgfg
17
reference_url https://access.redhat.com/errata/RHSA-2024:1057
reference_id RHSA-2024:1057
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1057
18
reference_url https://access.redhat.com/errata/RHSA-2024:1878
reference_id RHSA-2024:1878
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1878
19
reference_url https://usn.ubuntu.com/7642-1/
reference_id USN-7642-1
reference_type
scores
url https://usn.ubuntu.com/7642-1/
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35/
reference_id VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-10T19:22:18Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35/
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQYQL6WV535EEKSNH7KRARLLMOW5WXDM/
reference_id WQYQL6WV535EEKSNH7KRARLLMOW5WXDM
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-10T19:22:18Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQYQL6WV535EEKSNH7KRARLLMOW5WXDM/
fixed_packages
0
url pkg:pypi/aiohttp@3.8.6
purl pkg:pypi/aiohttp@3.8.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bcuu-jvzt-6fhn
1
vulnerability VCID-bhkk-2b7c-wfgr
2
vulnerability VCID-d3pa-kwgz-vuag
3
vulnerability VCID-ft9z-nd6x-27dz
4
vulnerability VCID-jxqg-x9dh-z3hb
5
vulnerability VCID-k122-7d38-2ug5
6
vulnerability VCID-peyu-fxyx-ayde
7
vulnerability VCID-pqus-ew4j-k7da
8
vulnerability VCID-qrus-4szm-c3bj
9
vulnerability VCID-sjws-ddnq-fke2
10
vulnerability VCID-t9gx-etxx-vkgb
11
vulnerability VCID-tn28-662n-vug8
12
vulnerability VCID-ue33-na1g-rqa7
13
vulnerability VCID-vqvz-jfqh-jkaz
14
vulnerability VCID-zm3a-mf2z-xfcm
15
vulnerability VCID-zrgm-47ph-x3g3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.8.6
aliases CVE-2023-47627, GHSA-gfw2-4jvh-wgfg, PYSEC-2023-246
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pmr9-w1fc-93cm
9
url VCID-pqus-ew4j-k7da
vulnerability_id VCID-pqus-ew4j-k7da
summary aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23334.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23334.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-23334
reference_id
reference_type
scores
0
value 0.93482
scoring_system epss
scoring_elements 0.99822
published_at 2026-04-11T12:55:00Z
1
value 0.93482
scoring_system epss
scoring_elements 0.99824
published_at 2026-04-18T12:55:00Z
2
value 0.93482
scoring_system epss
scoring_elements 0.99821
published_at 2026-04-07T12:55:00Z
3
value 0.93482
scoring_system epss
scoring_elements 0.99823
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-23334
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23334
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23334
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T19:29:24Z/
url https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b
6
reference_url https://github.com/aio-libs/aiohttp/pull/8079
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T19:29:24Z/
url https://github.com/aio-libs/aiohttp/pull/8079
7
reference_url https://github.com/aio-libs/aiohttp/pull/8079/files
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/pull/8079/files
8
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
4
value HIGH
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T19:29:24Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
9
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-24.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-24.yaml
10
reference_url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T19:29:24Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-23334
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-23334
15
reference_url https://www.exploit-db.com/exploits/52474
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.exploit-db.com/exploits/52474
16
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062709
reference_id 1062709
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062709
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2261887
reference_id 2261887
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2261887
18
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/webapps/52474.txt
reference_id CVE-2024-23334
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/webapps/52474.txt
19
reference_url https://github.com/advisories/GHSA-5h86-8mv2-jq9f
reference_id GHSA-5h86-8mv2-jq9f
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5h86-8mv2-jq9f
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/
reference_id ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T19:29:24Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/
21
reference_url https://access.redhat.com/errata/RHSA-2024:1878
reference_id RHSA-2024:1878
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1878
22
reference_url https://usn.ubuntu.com/6991-1/
reference_id USN-6991-1
reference_type
scores
url https://usn.ubuntu.com/6991-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.9.2
purl pkg:pypi/aiohttp@3.9.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bhkk-2b7c-wfgr
1
vulnerability VCID-d3pa-kwgz-vuag
2
vulnerability VCID-ft9z-nd6x-27dz
3
vulnerability VCID-k122-7d38-2ug5
4
vulnerability VCID-peyu-fxyx-ayde
5
vulnerability VCID-qrus-4szm-c3bj
6
vulnerability VCID-sjws-ddnq-fke2
7
vulnerability VCID-t9gx-etxx-vkgb
8
vulnerability VCID-tn28-662n-vug8
9
vulnerability VCID-vqvz-jfqh-jkaz
10
vulnerability VCID-zm3a-mf2z-xfcm
11
vulnerability VCID-zrgm-47ph-x3g3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.2
aliases CVE-2024-23334, GHSA-5h86-8mv2-jq9f, PYSEC-2024-24
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pqus-ew4j-k7da
10
url VCID-qrus-4szm-c3bj
vulnerability_id VCID-qrus-4szm-c3bj
summary 
AIOHTTP's unicode processing of header values could cause parsing discrepancies
### Summary
The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.

### Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

------

Patch: https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69224.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69224.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69224
reference_id
reference_type
scores
0
value 0.00043
scoring_system epss
scoring_elements 0.13164
published_at 2026-04-18T12:55:00Z
1
value 0.00043
scoring_system epss
scoring_elements 0.13165
published_at 2026-04-16T12:55:00Z
2
value 0.00043
scoring_system epss
scoring_elements 0.13259
published_at 2026-04-13T12:55:00Z
3
value 0.00043
scoring_system epss
scoring_elements 0.13308
published_at 2026-04-12T12:55:00Z
4
value 0.00043
scoring_system epss
scoring_elements 0.13346
published_at 2026-04-11T12:55:00Z
5
value 0.00043
scoring_system epss
scoring_elements 0.13376
published_at 2026-04-09T12:55:00Z
6
value 0.00043
scoring_system epss
scoring_elements 0.13325
published_at 2026-04-08T12:55:00Z
7
value 0.00043
scoring_system epss
scoring_elements 0.13243
published_at 2026-04-07T12:55:00Z
8
value 0.00043
scoring_system epss
scoring_elements 0.13383
published_at 2026-04-02T12:55:00Z
9
value 0.00043
scoring_system epss
scoring_elements 0.13447
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69224
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69224
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69224
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:43Z/
url https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0
6
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:43Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69224
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69224
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427246
reference_id 2427246
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427246
9
reference_url https://github.com/advisories/GHSA-69f9-5gxw-wvc2
reference_id GHSA-69f9-5gxw-wvc2
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-69f9-5gxw-wvc2
10
reference_url https://usn.ubuntu.com/8032-1/
reference_id USN-8032-1
reference_type
scores
url https://usn.ubuntu.com/8032-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.13.3
purl pkg:pypi/aiohttp@3.13.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-19q4-vzzb-8uca
1
vulnerability VCID-5f1f-mrwv-zucz
2
vulnerability VCID-cg9h-fysf-xygf
3
vulnerability VCID-dr2r-7qda-tfh5
4
vulnerability VCID-drqp-x9gc-2qd3
5
vulnerability VCID-g4rj-1kzy-pkft
6
vulnerability VCID-hyh4-58xy-xfge
7
vulnerability VCID-kf4p-q9n9-ayhn
8
vulnerability VCID-qt9z-6kwe-wbht
9
vulnerability VCID-tmjw-8cdt-7yf7
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3
aliases CVE-2025-69224, GHSA-69f9-5gxw-wvc2
risk_score 2.9
exploitability 0.5
weighted_severity 5.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qrus-4szm-c3bj
11
url VCID-sjws-ddnq-fke2
vulnerability_id VCID-sjws-ddnq-fke2
summary 
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
### Summary
A zip bomb can be used to execute a DoS against the aiohttp server.

### Impact
An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.

------

Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69223.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69223.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69223
reference_id
reference_type
scores
0
value 0.00063
scoring_system epss
scoring_elements 0.19572
published_at 2026-04-18T12:55:00Z
1
value 0.00063
scoring_system epss
scoring_elements 0.19782
published_at 2026-04-02T12:55:00Z
2
value 0.00063
scoring_system epss
scoring_elements 0.19835
published_at 2026-04-04T12:55:00Z
3
value 0.00063
scoring_system epss
scoring_elements 0.19557
published_at 2026-04-07T12:55:00Z
4
value 0.00063
scoring_system epss
scoring_elements 0.19637
published_at 2026-04-08T12:55:00Z
5
value 0.00063
scoring_system epss
scoring_elements 0.19689
published_at 2026-04-09T12:55:00Z
6
value 0.00063
scoring_system epss
scoring_elements 0.19695
published_at 2026-04-11T12:55:00Z
7
value 0.00063
scoring_system epss
scoring_elements 0.19646
published_at 2026-04-12T12:55:00Z
8
value 0.00063
scoring_system epss
scoring_elements 0.19587
published_at 2026-04-13T12:55:00Z
9
value 0.00063
scoring_system epss
scoring_elements 0.19565
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69223
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69223
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69223
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:17Z/
url https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
6
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:17Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69223
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69223
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427456
reference_id 2427456
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427456
9
reference_url https://github.com/advisories/GHSA-6mq8-rvhq-8wgg
reference_id GHSA-6mq8-rvhq-8wgg
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6mq8-rvhq-8wgg
10
reference_url https://access.redhat.com/errata/RHSA-2026:1249
reference_id RHSA-2026:1249
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:1249
11
reference_url https://access.redhat.com/errata/RHSA-2026:1497
reference_id RHSA-2026:1497
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:1497
12
reference_url https://access.redhat.com/errata/RHSA-2026:1506
reference_id RHSA-2026:1506
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:1506
13
reference_url https://access.redhat.com/errata/RHSA-2026:1596
reference_id RHSA-2026:1596
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:1596
14
reference_url https://access.redhat.com/errata/RHSA-2026:1599
reference_id RHSA-2026:1599
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:1599
15
reference_url https://access.redhat.com/errata/RHSA-2026:1609
reference_id RHSA-2026:1609
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:1609
16
reference_url https://access.redhat.com/errata/RHSA-2026:2106
reference_id RHSA-2026:2106
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2106
17
reference_url https://access.redhat.com/errata/RHSA-2026:2695
reference_id RHSA-2026:2695
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2695
18
reference_url https://access.redhat.com/errata/RHSA-2026:3461
reference_id RHSA-2026:3461
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3461
19
reference_url https://access.redhat.com/errata/RHSA-2026:3462
reference_id RHSA-2026:3462
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3462
20
reference_url https://access.redhat.com/errata/RHSA-2026:3713
reference_id RHSA-2026:3713
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3713
21
reference_url https://access.redhat.com/errata/RHSA-2026:3782
reference_id RHSA-2026:3782
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3782
22
reference_url https://access.redhat.com/errata/RHSA-2026:3958
reference_id RHSA-2026:3958
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3958
23
reference_url https://access.redhat.com/errata/RHSA-2026:3959
reference_id RHSA-2026:3959
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3959
24
reference_url https://access.redhat.com/errata/RHSA-2026:3960
reference_id RHSA-2026:3960
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3960
25
reference_url https://access.redhat.com/errata/RHSA-2026:6308
reference_id RHSA-2026:6308
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6308
26
reference_url https://access.redhat.com/errata/RHSA-2026:6309
reference_id RHSA-2026:6309
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6309
27
reference_url https://access.redhat.com/errata/RHSA-2026:6404
reference_id RHSA-2026:6404
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6404
28
reference_url https://usn.ubuntu.com/8032-1/
reference_id USN-8032-1
reference_type
scores
url https://usn.ubuntu.com/8032-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.13.3
purl pkg:pypi/aiohttp@3.13.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-19q4-vzzb-8uca
1
vulnerability VCID-5f1f-mrwv-zucz
2
vulnerability VCID-cg9h-fysf-xygf
3
vulnerability VCID-dr2r-7qda-tfh5
4
vulnerability VCID-drqp-x9gc-2qd3
5
vulnerability VCID-g4rj-1kzy-pkft
6
vulnerability VCID-hyh4-58xy-xfge
7
vulnerability VCID-kf4p-q9n9-ayhn
8
vulnerability VCID-qt9z-6kwe-wbht
9
vulnerability VCID-tmjw-8cdt-7yf7
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3
aliases CVE-2025-69223, GHSA-6mq8-rvhq-8wgg
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sjws-ddnq-fke2
12
url VCID-t2aj-cszz-tyd7
vulnerability_id VCID-t2aj-cszz-tyd7
summary aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-47641.json
reference_id
reference_type
scores
0
value 3.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-47641.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-47641
reference_id
reference_type
scores
0
value 0.00319
scoring_system epss
scoring_elements 0.54908
published_at 2026-04-02T12:55:00Z
1
value 0.00319
scoring_system epss
scoring_elements 0.54934
published_at 2026-04-04T12:55:00Z
2
value 0.00319
scoring_system epss
scoring_elements 0.54961
published_at 2026-04-16T12:55:00Z
3
value 0.00319
scoring_system epss
scoring_elements 0.54924
published_at 2026-04-13T12:55:00Z
4
value 0.00319
scoring_system epss
scoring_elements 0.54947
published_at 2026-04-12T12:55:00Z
5
value 0.00319
scoring_system epss
scoring_elements 0.54965
published_at 2026-04-18T12:55:00Z
6
value 0.00319
scoring_system epss
scoring_elements 0.54953
published_at 2026-04-09T12:55:00Z
7
value 0.00319
scoring_system epss
scoring_elements 0.54954
published_at 2026-04-08T12:55:00Z
8
value 0.00319
scoring_system epss
scoring_elements 0.54904
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-47641
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47641
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47641
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 3.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371
reference_id
reference_type
scores
0
value 3.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T20:18:44Z/
url https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371
6
reference_url https://github.com/aio-libs/aiohttp/releases/tag/v3.8.0
reference_id
reference_type
scores
0
value 3.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/releases/tag/v3.8.0
7
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j
reference_id
reference_type
scores
0
value 3.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value LOW
scoring_system cvssv3.1_qr
scoring_elements
3
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
4
value LOW
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T20:18:44Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j
8
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-247.yaml
reference_id
reference_type
scores
0
value 3.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-247.yaml
9
reference_url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
reference_id
reference_type
scores
0
value 3.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2250179
reference_id 2250179
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2250179
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-47641
reference_id CVE-2023-47641
reference_type
scores
0
value 3.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-47641
12
reference_url https://github.com/advisories/GHSA-xx9p-xxvh-7g8j
reference_id GHSA-xx9p-xxvh-7g8j
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xx9p-xxvh-7g8j
13
reference_url https://security.gentoo.org/glsa/202408-11
reference_id GLSA-202408-11
reference_type
scores
url https://security.gentoo.org/glsa/202408-11
fixed_packages
0
url pkg:pypi/aiohttp@3.8.0
purl pkg:pypi/aiohttp@3.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bcuu-jvzt-6fhn
1
vulnerability VCID-bhkk-2b7c-wfgr
2
vulnerability VCID-d3pa-kwgz-vuag
3
vulnerability VCID-ft9z-nd6x-27dz
4
vulnerability VCID-jxqg-x9dh-z3hb
5
vulnerability VCID-k122-7d38-2ug5
6
vulnerability VCID-peyu-fxyx-ayde
7
vulnerability VCID-pmr9-w1fc-93cm
8
vulnerability VCID-pqus-ew4j-k7da
9
vulnerability VCID-qrus-4szm-c3bj
10
vulnerability VCID-sjws-ddnq-fke2
11
vulnerability VCID-t9gx-etxx-vkgb
12
vulnerability VCID-tn28-662n-vug8
13
vulnerability VCID-ttq3-65ny-skdg
14
vulnerability VCID-ue33-na1g-rqa7
15
vulnerability VCID-vqvz-jfqh-jkaz
16
vulnerability VCID-zf8d-kxf1-sqds
17
vulnerability VCID-zm3a-mf2z-xfcm
18
vulnerability VCID-zrgm-47ph-x3g3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.8.0
aliases CVE-2023-47641, GHSA-xx9p-xxvh-7g8j, PYSEC-2023-247
risk_score 3.0
exploitability 0.5
weighted_severity 5.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t2aj-cszz-tyd7
13
url VCID-t9gx-etxx-vkgb
vulnerability_id VCID-t9gx-etxx-vkgb
summary 
AIOHTTP vulnerable to DoS when bypassing asserts
### Summary
When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.

### Impact
If optimisations are enabled (`-O` or `PYTHONOPTIMIZE=1`), and the application includes a handler that uses the `Request.post()` method, then an attacker may be able to execute a DoS attack with a specially crafted message.

------

Patch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69227.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69227.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69227
reference_id
reference_type
scores
0
value 0.00063
scoring_system epss
scoring_elements 0.19572
published_at 2026-04-18T12:55:00Z
1
value 0.00063
scoring_system epss
scoring_elements 0.19782
published_at 2026-04-02T12:55:00Z
2
value 0.00063
scoring_system epss
scoring_elements 0.19835
published_at 2026-04-04T12:55:00Z
3
value 0.00063
scoring_system epss
scoring_elements 0.19557
published_at 2026-04-07T12:55:00Z
4
value 0.00063
scoring_system epss
scoring_elements 0.19637
published_at 2026-04-08T12:55:00Z
5
value 0.00063
scoring_system epss
scoring_elements 0.19689
published_at 2026-04-09T12:55:00Z
6
value 0.00063
scoring_system epss
scoring_elements 0.19695
published_at 2026-04-11T12:55:00Z
7
value 0.00063
scoring_system epss
scoring_elements 0.19646
published_at 2026-04-12T12:55:00Z
8
value 0.00063
scoring_system epss
scoring_elements 0.19587
published_at 2026-04-13T12:55:00Z
9
value 0.00063
scoring_system epss
scoring_elements 0.19565
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69227
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69227
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69227
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:12Z/
url https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259
6
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:12Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69227
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69227
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427256
reference_id 2427256
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427256
9
reference_url https://github.com/advisories/GHSA-jj3x-wxrx-4x23
reference_id GHSA-jj3x-wxrx-4x23
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jj3x-wxrx-4x23
10
reference_url https://access.redhat.com/errata/RHSA-2026:3782
reference_id RHSA-2026:3782
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3782
11
reference_url https://access.redhat.com/errata/RHSA-2026:5809
reference_id RHSA-2026:5809
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:5809
12
reference_url https://access.redhat.com/errata/RHSA-2026:6761
reference_id RHSA-2026:6761
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6761
13
reference_url https://access.redhat.com/errata/RHSA-2026:6762
reference_id RHSA-2026:6762
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6762
14
reference_url https://usn.ubuntu.com/8032-1/
reference_id USN-8032-1
reference_type
scores
url https://usn.ubuntu.com/8032-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.13.3
purl pkg:pypi/aiohttp@3.13.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-19q4-vzzb-8uca
1
vulnerability VCID-5f1f-mrwv-zucz
2
vulnerability VCID-cg9h-fysf-xygf
3
vulnerability VCID-dr2r-7qda-tfh5
4
vulnerability VCID-drqp-x9gc-2qd3
5
vulnerability VCID-g4rj-1kzy-pkft
6
vulnerability VCID-hyh4-58xy-xfge
7
vulnerability VCID-kf4p-q9n9-ayhn
8
vulnerability VCID-qt9z-6kwe-wbht
9
vulnerability VCID-tmjw-8cdt-7yf7
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3
aliases CVE-2025-69227, GHSA-jj3x-wxrx-4x23
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t9gx-etxx-vkgb
14
url VCID-tn28-662n-vug8
vulnerability_id VCID-tn28-662n-vug8
summary 
aiohttp Cross-site Scripting vulnerability on index pages for static file handling
### Summary

A XSS vulnerability exists on index pages for static file handling.

### Details

When using `web.static(..., show_index=True)`, the resulting index pages do not escape file names.

If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.

### Workaround

We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.

Other users can disable `show_index` if unable to upgrade.

-----

Patch: https://github.com/aio-libs/aiohttp/pull/8319/files
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27306.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27306.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-27306
reference_id
reference_type
scores
0
value 0.00749
scoring_system epss
scoring_elements 0.73167
published_at 2026-04-18T12:55:00Z
1
value 0.00749
scoring_system epss
scoring_elements 0.73158
published_at 2026-04-16T12:55:00Z
2
value 0.00749
scoring_system epss
scoring_elements 0.73115
published_at 2026-04-13T12:55:00Z
3
value 0.00749
scoring_system epss
scoring_elements 0.73121
published_at 2026-04-12T12:55:00Z
4
value 0.00749
scoring_system epss
scoring_elements 0.73141
published_at 2026-04-11T12:55:00Z
5
value 0.00749
scoring_system epss
scoring_elements 0.73117
published_at 2026-04-09T12:55:00Z
6
value 0.00749
scoring_system epss
scoring_elements 0.73066
published_at 2026-04-07T12:55:00Z
7
value 0.00749
scoring_system epss
scoring_elements 0.73103
published_at 2026-04-08T12:55:00Z
8
value 0.00749
scoring_system epss
scoring_elements 0.73072
published_at 2026-04-02T12:55:00Z
9
value 0.00749
scoring_system epss
scoring_elements 0.73092
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-27306
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27306
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27306
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:36:48Z/
url https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397
6
reference_url https://github.com/aio-libs/aiohttp/pull/8319
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:36:48Z/
url https://github.com/aio-libs/aiohttp/pull/8319
7
reference_url https://github.com/aio-libs/aiohttp/pull/8319/files
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/pull/8319/files
8
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:36:48Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g
9
reference_url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-27306
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-27306
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070665
reference_id 1070665
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070665
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2275989
reference_id 2275989
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2275989
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP/
reference_id 2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:36:48Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP/
17
reference_url https://github.com/advisories/GHSA-7gpw-8wmc-pm8g
reference_id GHSA-7gpw-8wmc-pm8g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7gpw-8wmc-pm8g
18
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U/
reference_id NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:36:48Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U/
19
reference_url https://access.redhat.com/errata/RHSA-2024:3781
reference_id RHSA-2024:3781
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3781
20
reference_url https://access.redhat.com/errata/RHSA-2024:5662
reference_id RHSA-2024:5662
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5662
21
reference_url https://access.redhat.com/errata/RHSA-2025:1335
reference_id RHSA-2025:1335
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1335
22
reference_url https://usn.ubuntu.com/7642-1/
reference_id USN-7642-1
reference_type
scores
url https://usn.ubuntu.com/7642-1/
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3/
reference_id ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:36:48Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3/
fixed_packages
0
url pkg:pypi/aiohttp@3.9.4
purl pkg:pypi/aiohttp@3.9.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d3pa-kwgz-vuag
1
vulnerability VCID-ft9z-nd6x-27dz
2
vulnerability VCID-k122-7d38-2ug5
3
vulnerability VCID-peyu-fxyx-ayde
4
vulnerability VCID-qrus-4szm-c3bj
5
vulnerability VCID-sjws-ddnq-fke2
6
vulnerability VCID-t9gx-etxx-vkgb
7
vulnerability VCID-vqvz-jfqh-jkaz
8
vulnerability VCID-zm3a-mf2z-xfcm
9
vulnerability VCID-zrgm-47ph-x3g3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.4
aliases CVE-2024-27306, GHSA-7gpw-8wmc-pm8g
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tn28-662n-vug8
15
url VCID-ttq3-65ny-skdg
vulnerability_id VCID-ttq3-65ny-skdg
summary 
aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
### Impact

aiohttp v3.8.4 and earlier are [bundled with llhttp v6.0.6](https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules) which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.

This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`).

### Reproducer

```python
from aiohttp import web

async def example(request: web.Request):
    headers = dict(request.headers)
    body = await request.content.read()
    return web.Response(text=f"headers: {headers} body: {body}")

app = web.Application()
app.add_routes([web.post('/', example)])
web.run_app(app)
```

Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.

```console
$ printf "POST / HTTP/1.1\r\nHost: localhost:8080\r\nX-Abc: \rxTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\n0\r\n\r\n" \
  | nc localhost 8080

Expected output:
  headers: {'Host': 'localhost:8080', 'X-Abc': '\rxTransfer-Encoding: chunked'} body: b''

Actual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently)
  headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A'
```

### Patches

Upgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: [`pip install aiohttp >= 3.8.5`](https://pypi.org/project/aiohttp/3.8.5/)

### Workarounds

If you aren't able to upgrade you can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling:

```console
$ python -m pip uninstall --yes aiohttp
$ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp
```

### References

* https://nvd.nist.gov/vuln/detail/CVE-2023-30589
* https://hackerone.com/reports/2001873
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37276.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37276.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-37276
reference_id
reference_type
scores
0
value 0.05775
scoring_system epss
scoring_elements 0.9048
published_at 2026-04-09T12:55:00Z
1
value 0.05775
scoring_system epss
scoring_elements 0.90474
published_at 2026-04-08T12:55:00Z
2
value 0.05775
scoring_system epss
scoring_elements 0.90462
published_at 2026-04-07T12:55:00Z
3
value 0.05775
scoring_system epss
scoring_elements 0.90456
published_at 2026-04-04T12:55:00Z
4
value 0.05775
scoring_system epss
scoring_elements 0.90444
published_at 2026-04-02T12:55:00Z
5
value 0.05775
scoring_system epss
scoring_elements 0.90498
published_at 2026-04-18T12:55:00Z
6
value 0.05775
scoring_system epss
scoring_elements 0.90481
published_at 2026-04-13T12:55:00Z
7
value 0.05775
scoring_system epss
scoring_elements 0.90487
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-37276
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
4
reference_url https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-18T16:05:51Z/
url https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules
5
reference_url https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-18T16:05:51Z/
url https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40
6
reference_url https://github.com/aio-libs/aiohttp/commit/9c13a52c21c23dfdb49ed89418d28a5b116d0681
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/commit/9c13a52c21c23dfdb49ed89418d28a5b116d0681
7
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-18T16:05:51Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
8
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-120.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-120.yaml
9
reference_url https://hackerone.com/reports/2001873
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-18T16:05:51Z/
url https://hackerone.com/reports/2001873
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-37276
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-37276
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2224185
reference_id 2224185
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2224185
12
reference_url https://github.com/advisories/GHSA-45c4-8wx5-qw6w
reference_id GHSA-45c4-8wx5-qw6w
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-45c4-8wx5-qw6w
13
reference_url https://access.redhat.com/errata/RHSA-2024:1878
reference_id RHSA-2024:1878
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1878
fixed_packages
0
url pkg:pypi/aiohttp@3.8.5
purl pkg:pypi/aiohttp@3.8.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bcuu-jvzt-6fhn
1
vulnerability VCID-bhkk-2b7c-wfgr
2
vulnerability VCID-d3pa-kwgz-vuag
3
vulnerability VCID-ft9z-nd6x-27dz
4
vulnerability VCID-jxqg-x9dh-z3hb
5
vulnerability VCID-k122-7d38-2ug5
6
vulnerability VCID-peyu-fxyx-ayde
7
vulnerability VCID-pmr9-w1fc-93cm
8
vulnerability VCID-pqus-ew4j-k7da
9
vulnerability VCID-qrus-4szm-c3bj
10
vulnerability VCID-sjws-ddnq-fke2
11
vulnerability VCID-t9gx-etxx-vkgb
12
vulnerability VCID-tn28-662n-vug8
13
vulnerability VCID-ue33-na1g-rqa7
14
vulnerability VCID-vqvz-jfqh-jkaz
15
vulnerability VCID-zf8d-kxf1-sqds
16
vulnerability VCID-zm3a-mf2z-xfcm
17
vulnerability VCID-zrgm-47ph-x3g3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.8.5
1
url pkg:pypi/aiohttp@4.0.0a0
purl pkg:pypi/aiohttp@4.0.0a0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@4.0.0a0
aliases CVE-2023-37276, GHSA-45c4-8wx5-qw6w, PYSEC-2023-120
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ttq3-65ny-skdg
16
url VCID-ue33-na1g-rqa7
vulnerability_id VCID-ue33-na1g-rqa7
summary aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49082.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49082.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-49082
reference_id
reference_type
scores
0
value 0.00221
scoring_system epss
scoring_elements 0.44786
published_at 2026-04-09T12:55:00Z
1
value 0.00221
scoring_system epss
scoring_elements 0.4482
published_at 2026-04-18T12:55:00Z
2
value 0.00221
scoring_system epss
scoring_elements 0.44826
published_at 2026-04-16T12:55:00Z
3
value 0.00221
scoring_system epss
scoring_elements 0.44773
published_at 2026-04-13T12:55:00Z
4
value 0.00221
scoring_system epss
scoring_elements 0.44772
published_at 2026-04-12T12:55:00Z
5
value 0.00221
scoring_system epss
scoring_elements 0.44802
published_at 2026-04-11T12:55:00Z
6
value 0.00221
scoring_system epss
scoring_elements 0.44783
published_at 2026-04-08T12:55:00Z
7
value 0.00221
scoring_system epss
scoring_elements 0.4473
published_at 2026-04-07T12:55:00Z
8
value 0.00221
scoring_system epss
scoring_elements 0.44791
published_at 2026-04-04T12:55:00Z
9
value 0.00221
scoring_system epss
scoring_elements 0.4477
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-49082
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49082
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49082
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
5
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
6
reference_url https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466
7
reference_url https://github.com/aio-libs/aiohttp/pull/7806/files
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/pull/7806/files
8
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx
9
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-251.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-251.yaml
10
reference_url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057164
reference_id 1057164
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057164
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2252248
reference_id 2252248
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2252248
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-49082
reference_id CVE-2023-49082
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-49082
16
reference_url https://github.com/advisories/GHSA-qvrw-v9rv-5rjx
reference_id GHSA-qvrw-v9rv-5rjx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qvrw-v9rv-5rjx
17
reference_url https://security.gentoo.org/glsa/202408-11
reference_id GLSA-202408-11
reference_type
scores
url https://security.gentoo.org/glsa/202408-11
18
reference_url https://access.redhat.com/errata/RHSA-2024:1057
reference_id RHSA-2024:1057
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1057
19
reference_url https://access.redhat.com/errata/RHSA-2024:1878
reference_id RHSA-2024:1878
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1878
20
reference_url https://usn.ubuntu.com/7642-1/
reference_id USN-7642-1
reference_type
scores
url https://usn.ubuntu.com/7642-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.9.0
purl pkg:pypi/aiohttp@3.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bhkk-2b7c-wfgr
1
vulnerability VCID-d3pa-kwgz-vuag
2
vulnerability VCID-ft9z-nd6x-27dz
3
vulnerability VCID-jxqg-x9dh-z3hb
4
vulnerability VCID-k122-7d38-2ug5
5
vulnerability VCID-peyu-fxyx-ayde
6
vulnerability VCID-pqus-ew4j-k7da
7
vulnerability VCID-qrus-4szm-c3bj
8
vulnerability VCID-sjws-ddnq-fke2
9
vulnerability VCID-t9gx-etxx-vkgb
10
vulnerability VCID-tn28-662n-vug8
11
vulnerability VCID-vqvz-jfqh-jkaz
12
vulnerability VCID-zm3a-mf2z-xfcm
13
vulnerability VCID-zrgm-47ph-x3g3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.0
aliases CVE-2023-49082, GHSA-qvrw-v9rv-5rjx, PYSEC-2023-251
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ue33-na1g-rqa7
17
url VCID-vqvz-jfqh-jkaz
vulnerability_id VCID-vqvz-jfqh-jkaz
summary 
AIOHTTP vulnerable to brute-force leak of internal static file path components
### Summary
Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the
existence of absolute path components.

### Impact
If an application uses `web.static()` (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.

------

Patch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69226.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69226.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69226
reference_id
reference_type
scores
0
value 0.00063
scoring_system epss
scoring_elements 0.19718
published_at 2026-04-18T12:55:00Z
1
value 0.00063
scoring_system epss
scoring_elements 0.19716
published_at 2026-04-16T12:55:00Z
2
value 0.00063
scoring_system epss
scoring_elements 0.19741
published_at 2026-04-13T12:55:00Z
3
value 0.00063
scoring_system epss
scoring_elements 0.19798
published_at 2026-04-12T12:55:00Z
4
value 0.00063
scoring_system epss
scoring_elements 0.19843
published_at 2026-04-11T12:55:00Z
5
value 0.00063
scoring_system epss
scoring_elements 0.1984
published_at 2026-04-09T12:55:00Z
6
value 0.00063
scoring_system epss
scoring_elements 0.19982
published_at 2026-04-04T12:55:00Z
7
value 0.00063
scoring_system epss
scoring_elements 0.19788
published_at 2026-04-08T12:55:00Z
8
value 0.00063
scoring_system epss
scoring_elements 0.19927
published_at 2026-04-02T12:55:00Z
9
value 0.00063
scoring_system epss
scoring_elements 0.19708
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69226
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69226
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69226
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:35Z/
url https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e
6
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:35Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69226
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69226
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427245
reference_id 2427245
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427245
9
reference_url https://github.com/advisories/GHSA-54jq-c3m8-4m76
reference_id GHSA-54jq-c3m8-4m76
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-54jq-c3m8-4m76
10
reference_url https://usn.ubuntu.com/8032-1/
reference_id USN-8032-1
reference_type
scores
url https://usn.ubuntu.com/8032-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.13.3
purl pkg:pypi/aiohttp@3.13.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-19q4-vzzb-8uca
1
vulnerability VCID-5f1f-mrwv-zucz
2
vulnerability VCID-cg9h-fysf-xygf
3
vulnerability VCID-dr2r-7qda-tfh5
4
vulnerability VCID-drqp-x9gc-2qd3
5
vulnerability VCID-g4rj-1kzy-pkft
6
vulnerability VCID-hyh4-58xy-xfge
7
vulnerability VCID-kf4p-q9n9-ayhn
8
vulnerability VCID-qt9z-6kwe-wbht
9
vulnerability VCID-tmjw-8cdt-7yf7
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3
aliases CVE-2025-69226, GHSA-54jq-c3m8-4m76
risk_score 2.9
exploitability 0.5
weighted_severity 5.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vqvz-jfqh-jkaz
18
url VCID-wrsz-1761-ybeq
vulnerability_id VCID-wrsz-1761-ybeq
summary aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-1000519
reference_id
reference_type
scores
0
value 0.00217
scoring_system epss
scoring_elements 0.44321
published_at 2026-04-02T12:55:00Z
1
value 0.00217
scoring_system epss
scoring_elements 0.44368
published_at 2026-04-18T12:55:00Z
2
value 0.00217
scoring_system epss
scoring_elements 0.44377
published_at 2026-04-16T12:55:00Z
3
value 0.00217
scoring_system epss
scoring_elements 0.4432
published_at 2026-04-13T12:55:00Z
4
value 0.00217
scoring_system epss
scoring_elements 0.44322
published_at 2026-04-12T12:55:00Z
5
value 0.00217
scoring_system epss
scoring_elements 0.44354
published_at 2026-04-11T12:55:00Z
6
value 0.00217
scoring_system epss
scoring_elements 0.44336
published_at 2026-04-09T12:55:00Z
7
value 0.00217
scoring_system epss
scoring_elements 0.44331
published_at 2026-04-08T12:55:00Z
8
value 0.00217
scoring_system epss
scoring_elements 0.44279
published_at 2026-04-07T12:55:00Z
9
value 0.00217
scoring_system epss
scoring_elements 0.44343
published_at 2026-04-04T12:55:00Z
10
value 0.00217
scoring_system epss
scoring_elements 0.4425
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-1000519
1
reference_url https://github.com/advisories/GHSA-fpwp-69xv-c67f
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-fpwp-69xv-c67f
2
reference_url https://github.com/aio-libs/aiohttp-session
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp-session
3
reference_url https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L60
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L60
4
reference_url https://github.com/aio-libs/aiohttp-session/commit/6b7864004d3442dbcfaf8687f63262c1c629f569
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp-session/commit/6b7864004d3442dbcfaf8687f63262c1c629f569
5
reference_url https://github.com/aio-libs/aiohttp-session/issues/272
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp-session/issues/272
6
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp-session/PYSEC-2018-80.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp-session/PYSEC-2018-80.yaml
7
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:aio-libs:aiohttp_session:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:aio-libs:aiohttp_session:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:aio-libs:aiohttp_session:*:*:*:*:*:*:*:*
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-1000519
reference_id CVE-2018-1000519
reference_type
scores
0
value 4.3
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:N/I:P/A:N
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
2
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
3
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
4
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-1000519
fixed_packages
0
url pkg:pypi/aiohttp@2.4.0
purl pkg:pypi/aiohttp@2.4.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@2.4.0
1
url pkg:pypi/aiohttp@3.0.0b0
purl pkg:pypi/aiohttp@3.0.0b0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-88cm-cxp9-ekgn
1
vulnerability VCID-bcuu-jvzt-6fhn
2
vulnerability VCID-bhkk-2b7c-wfgr
3
vulnerability VCID-d3pa-kwgz-vuag
4
vulnerability VCID-ft9z-nd6x-27dz
5
vulnerability VCID-jxqg-x9dh-z3hb
6
vulnerability VCID-k122-7d38-2ug5
7
vulnerability VCID-peyu-fxyx-ayde
8
vulnerability VCID-pmr9-w1fc-93cm
9
vulnerability VCID-pqus-ew4j-k7da
10
vulnerability VCID-qrus-4szm-c3bj
11
vulnerability VCID-sjws-ddnq-fke2
12
vulnerability VCID-t2aj-cszz-tyd7
13
vulnerability VCID-t9gx-etxx-vkgb
14
vulnerability VCID-tn28-662n-vug8
15
vulnerability VCID-ttq3-65ny-skdg
16
vulnerability VCID-ue33-na1g-rqa7
17
vulnerability VCID-vqvz-jfqh-jkaz
18
vulnerability VCID-zf8d-kxf1-sqds
19
vulnerability VCID-zm3a-mf2z-xfcm
20
vulnerability VCID-zrgm-47ph-x3g3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.0.0b0
aliases CVE-2018-1000519, GHSA-fpwp-69xv-c67f, PYSEC-2018-80
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wrsz-1761-ybeq
19
url VCID-zf8d-kxf1-sqds
vulnerability_id VCID-zf8d-kxf1-sqds
summary 
aiohttp has vulnerable dependency that is vulnerable to request smuggling
### Summary
llhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities.
Details have not been disclosed yet, so refer to llhttp for future information.
The issue is resolved by using llhttp 9+ (which is included in aiohttp 3.8.6+).
references
0
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
1
reference_url https://github.com/aio-libs/aiohttp/commit/996de2629ef6b4c2934a7c04dfd49d0950d4c43b
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/commit/996de2629ef6b4c2934a7c04dfd49d0950d4c43b
2
reference_url https://github.com/aio-libs/aiohttp/commit/bcc416e533796d04fb8124ef1e7686b1f338767a
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/commit/bcc416e533796d04fb8124ef1e7686b1f338767a
3
reference_url https://github.com/advisories/GHSA-pjjw-qhg8-p2p9
reference_id GHSA-pjjw-qhg8-p2p9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pjjw-qhg8-p2p9
4
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9
reference_id GHSA-pjjw-qhg8-p2p9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9
fixed_packages
0
url pkg:pypi/aiohttp@3.8.6
purl pkg:pypi/aiohttp@3.8.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bcuu-jvzt-6fhn
1
vulnerability VCID-bhkk-2b7c-wfgr
2
vulnerability VCID-d3pa-kwgz-vuag
3
vulnerability VCID-ft9z-nd6x-27dz
4
vulnerability VCID-jxqg-x9dh-z3hb
5
vulnerability VCID-k122-7d38-2ug5
6
vulnerability VCID-peyu-fxyx-ayde
7
vulnerability VCID-pqus-ew4j-k7da
8
vulnerability VCID-qrus-4szm-c3bj
9
vulnerability VCID-sjws-ddnq-fke2
10
vulnerability VCID-t9gx-etxx-vkgb
11
vulnerability VCID-tn28-662n-vug8
12
vulnerability VCID-ue33-na1g-rqa7
13
vulnerability VCID-vqvz-jfqh-jkaz
14
vulnerability VCID-zm3a-mf2z-xfcm
15
vulnerability VCID-zrgm-47ph-x3g3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.8.6
aliases GHSA-pjjw-qhg8-p2p9, GMS-2023-5095
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zf8d-kxf1-sqds
20
url VCID-zm3a-mf2z-xfcm
vulnerability_id VCID-zm3a-mf2z-xfcm
summary 
AIOHTTP Vulnerable to Cookie Parser Warning Storm
### Summary
Reading multiple invalid cookies can lead to a logging storm.

### Impact
If the ``cookies`` attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.

----

Patch: https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69230.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69230.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-69230
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02533
published_at 2026-04-18T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02528
published_at 2026-04-16T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02541
published_at 2026-04-13T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02554
published_at 2026-04-11T12:55:00Z
4
value 0.00014
scoring_system epss
scoring_elements 0.02572
published_at 2026-04-09T12:55:00Z
5
value 0.00014
scoring_system epss
scoring_elements 0.02551
published_at 2026-04-08T12:55:00Z
6
value 0.00014
scoring_system epss
scoring_elements 0.02546
published_at 2026-04-07T12:55:00Z
7
value 0.00014
scoring_system epss
scoring_elements 0.02529
published_at 2026-04-02T12:55:00Z
8
value 0.00014
scoring_system epss
scoring_elements 0.02543
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-69230
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69230
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69230
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:24:37Z/
url https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326
6
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-fh55-r93g-j68g
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:24:37Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-fh55-r93g-j68g
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-69230
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-69230
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2427255
reference_id 2427255
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2427255
9
reference_url https://github.com/advisories/GHSA-fh55-r93g-j68g
reference_id GHSA-fh55-r93g-j68g
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fh55-r93g-j68g
fixed_packages
0
url pkg:pypi/aiohttp@3.13.3
purl pkg:pypi/aiohttp@3.13.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-19q4-vzzb-8uca
1
vulnerability VCID-5f1f-mrwv-zucz
2
vulnerability VCID-cg9h-fysf-xygf
3
vulnerability VCID-dr2r-7qda-tfh5
4
vulnerability VCID-drqp-x9gc-2qd3
5
vulnerability VCID-g4rj-1kzy-pkft
6
vulnerability VCID-hyh4-58xy-xfge
7
vulnerability VCID-kf4p-q9n9-ayhn
8
vulnerability VCID-qt9z-6kwe-wbht
9
vulnerability VCID-tmjw-8cdt-7yf7
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3
aliases CVE-2025-69230, GHSA-fh55-r93g-j68g
risk_score 2.5
exploitability 0.5
weighted_severity 4.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zm3a-mf2z-xfcm
21
url VCID-zrgm-47ph-x3g3
vulnerability_id VCID-zrgm-47ph-x3g3
summary 
aiohttp allows request smuggling due to incorrect parsing of chunk extensions
### Summary
The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

### Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52304.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52304.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-52304
reference_id
reference_type
scores
0
value 0.00456
scoring_system epss
scoring_elements 0.63921
published_at 2026-04-18T12:55:00Z
1
value 0.00456
scoring_system epss
scoring_elements 0.63911
published_at 2026-04-16T12:55:00Z
2
value 0.00456
scoring_system epss
scoring_elements 0.63876
published_at 2026-04-13T12:55:00Z
3
value 0.00456
scoring_system epss
scoring_elements 0.63909
published_at 2026-04-12T12:55:00Z
4
value 0.00456
scoring_system epss
scoring_elements 0.63923
published_at 2026-04-11T12:55:00Z
5
value 0.00456
scoring_system epss
scoring_elements 0.6391
published_at 2026-04-09T12:55:00Z
6
value 0.00456
scoring_system epss
scoring_elements 0.63892
published_at 2026-04-08T12:55:00Z
7
value 0.00456
scoring_system epss
scoring_elements 0.63842
published_at 2026-04-07T12:55:00Z
8
value 0.00456
scoring_system epss
scoring_elements 0.63858
published_at 2026-04-02T12:55:00Z
9
value 0.00456
scoring_system epss
scoring_elements 0.63885
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-52304
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52304
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52304
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/aio-libs/aiohttp
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/aio-libs/aiohttp
5
reference_url https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-19T15:38:44Z/
url https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71
6
reference_url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-19T15:38:44Z/
url https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr
7
reference_url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-52304
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-52304
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088109
reference_id 1088109
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088109
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2327130
reference_id 2327130
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2327130
11
reference_url https://github.com/advisories/GHSA-8495-4g3g-x7pr
reference_id GHSA-8495-4g3g-x7pr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8495-4g3g-x7pr
12
reference_url https://access.redhat.com/errata/RHSA-2024:10766
reference_id RHSA-2024:10766
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10766
13
reference_url https://access.redhat.com/errata/RHSA-2024:11574
reference_id RHSA-2024:11574
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:11574
14
reference_url https://access.redhat.com/errata/RHSA-2025:0340
reference_id RHSA-2025:0340
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0340
15
reference_url https://access.redhat.com/errata/RHSA-2025:0341
reference_id RHSA-2025:0341
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0341
16
reference_url https://access.redhat.com/errata/RHSA-2025:0722
reference_id RHSA-2025:0722
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0722
17
reference_url https://access.redhat.com/errata/RHSA-2025:0753
reference_id RHSA-2025:0753
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0753
18
reference_url https://access.redhat.com/errata/RHSA-2025:1101
reference_id RHSA-2025:1101
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1101
19
reference_url https://usn.ubuntu.com/7642-1/
reference_id USN-7642-1
reference_type
scores
url https://usn.ubuntu.com/7642-1/
fixed_packages
0
url pkg:pypi/aiohttp@3.10.11
purl pkg:pypi/aiohttp@3.10.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d3pa-kwgz-vuag
1
vulnerability VCID-ft9z-nd6x-27dz
2
vulnerability VCID-k122-7d38-2ug5
3
vulnerability VCID-peyu-fxyx-ayde
4
vulnerability VCID-qrus-4szm-c3bj
5
vulnerability VCID-sjws-ddnq-fke2
6
vulnerability VCID-t9gx-etxx-vkgb
7
vulnerability VCID-vqvz-jfqh-jkaz
8
vulnerability VCID-zm3a-mf2z-xfcm
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.10.11
aliases CVE-2024-52304, GHSA-8495-4g3g-x7pr
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zrgm-47ph-x3g3
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@2.2.4