Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/aiohttp@3.9.0rc0

Type pypi

Namespace

Name aiohttp

Version 3.9.0rc0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 3.13.4

Latest_non_vulnerable_version 4.0.0a0

Affected_by_vulnerabilities

url VCID-bcuu-jvzt-6fhn

vulnerability_id VCID-bcuu-jvzt-6fhn

summary aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49081.json

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49081.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-49081

reference_id

reference_type

scores

value	0.00457
scoring_system	epss
scoring_elements	0.63965
published_at	2026-04-18T12:55:00Z

value	0.00457
scoring_system	epss
scoring_elements	0.63928
published_at	2026-04-04T12:55:00Z

value	0.00457
scoring_system	epss
scoring_elements	0.63886
published_at	2026-04-07T12:55:00Z

value	0.00457
scoring_system	epss
scoring_elements	0.63902
published_at	2026-04-02T12:55:00Z

value	0.00457
scoring_system	epss
scoring_elements	0.6392
published_at	2026-04-13T12:55:00Z

value	0.00457
scoring_system	epss
scoring_elements	0.63953
published_at	2026-04-12T12:55:00Z

value	0.00457
scoring_system	epss
scoring_elements	0.63967
published_at	2026-04-11T12:55:00Z

value	0.00457
scoring_system	epss
scoring_elements	0.63955
published_at	2026-04-16T12:55:00Z

value	0.00457
scoring_system	epss
scoring_elements	0.63937
published_at	2026-04-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-49081

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49081
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49081

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b

reference_url

https://github.com/aio-libs/aiohttp/pull/7835/files

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp/pull/7835/files

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-250.yaml

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-250.yaml

reference_url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057163
reference_id	1057163
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057163

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2252235
reference_id	2252235
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2252235

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-49081

reference_id

CVE-2023-49081

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-49081

reference_url

https://github.com/advisories/GHSA-q3qx-c6g2-7pw2

reference_id

GHSA-q3qx-c6g2-7pw2

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-q3qx-c6g2-7pw2

reference_url	https://access.redhat.com/errata/RHSA-2024:1057
reference_id	RHSA-2024:1057
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1057

reference_url	https://access.redhat.com/errata/RHSA-2024:1878
reference_id	RHSA-2024:1878
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1878

reference_url	https://usn.ubuntu.com/7642-1/
reference_id	USN-7642-1
reference_type
scores
url	https://usn.ubuntu.com/7642-1/

fixed_packages

url pkg:pypi/aiohttp@3.9.0

purl pkg:pypi/aiohttp@3.9.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bhkk-2b7c-wfgr

vulnerability	VCID-d3pa-kwgz-vuag

vulnerability	VCID-ft9z-nd6x-27dz

vulnerability	VCID-jxqg-x9dh-z3hb

vulnerability	VCID-k122-7d38-2ug5

vulnerability	VCID-peyu-fxyx-ayde

vulnerability	VCID-pqus-ew4j-k7da

vulnerability	VCID-qrus-4szm-c3bj

vulnerability	VCID-sjws-ddnq-fke2

vulnerability	VCID-t9gx-etxx-vkgb

vulnerability	VCID-tn28-662n-vug8

vulnerability	VCID-vqvz-jfqh-jkaz

vulnerability	VCID-zm3a-mf2z-xfcm

vulnerability	VCID-zrgm-47ph-x3g3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.0

aliases CVE-2023-49081, GHSA-q3qx-c6g2-7pw2, PYSEC-2023-250

risk_score 3.2

exploitability 0.5

weighted_severity 6.5

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bcuu-jvzt-6fhn

url VCID-bhkk-2b7c-wfgr

vulnerability_id VCID-bhkk-2b7c-wfgr

summary

aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
### Summary
An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.

### Impact
An attacker can stop the application from serving requests after sending a single request.

-------

For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in `_read_chunk_from_length()`):

```diff
diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
index 227be605c..71fc2654a 100644
--- a/aiohttp/multipart.py
+++ b/aiohttp/multipart.py
@@ -338,6 +338,8 @@ class BodyPartReader:
         assert self._length is not None, "Content-Length required for chunked read"
         chunk_size = min(size, self._length - self._read_bytes)
         chunk = await self._content.read(chunk_size)
+        if self._content.at_eof():
+            self._at_eof = True
         return chunk
 
     async def _read_chunk_from_stream(self, size: int) -> bytes:
```

This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:
https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19
https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597
https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30251.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30251.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-30251

reference_id

reference_type

scores

value	0.00359
scoring_system	epss
scoring_elements	0.58159
published_at	2026-04-18T12:55:00Z

value	0.00359
scoring_system	epss
scoring_elements	0.58128
published_at	2026-04-13T12:55:00Z

value	0.00359
scoring_system	epss
scoring_elements	0.58147
published_at	2026-04-12T12:55:00Z

value	0.00359
scoring_system	epss
scoring_elements	0.58171
published_at	2026-04-11T12:55:00Z

value	0.00359
scoring_system	epss
scoring_elements	0.58155
published_at	2026-04-09T12:55:00Z

value	0.00359
scoring_system	epss
scoring_elements	0.58097
published_at	2026-04-07T12:55:00Z

value	0.00359
scoring_system	epss
scoring_elements	0.58123
published_at	2026-04-04T12:55:00Z

value	0.00359
scoring_system	epss
scoring_elements	0.58101
published_at	2026-04-02T12:55:00Z

value	0.00359
scoring_system	epss
scoring_elements	0.58151
published_at	2026-04-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-30251

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-30251
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-30251

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/

url

https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597

reference_url

https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/

url

https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19

reference_url

https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/

url

https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84

reference_url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-30251

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-30251

reference_url

http://www.openwall.com/lists/oss-security/2024/05/02/4

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:13:44Z/

url

http://www.openwall.com/lists/oss-security/2024/05/02/4

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070364
reference_id	1070364
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070364

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2278710
reference_id	2278710
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2278710

reference_url

https://github.com/advisories/GHSA-5m98-qgg9-wh84

reference_id

GHSA-5m98-qgg9-wh84

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5m98-qgg9-wh84

reference_url	https://security.gentoo.org/glsa/202408-11
reference_id	GLSA-202408-11
reference_type
scores
url	https://security.gentoo.org/glsa/202408-11

reference_url	https://access.redhat.com/errata/RHSA-2024:3781
reference_id	RHSA-2024:3781
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:3781

reference_url	https://access.redhat.com/errata/RHSA-2025:1335
reference_id	RHSA-2025:1335
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:1335

reference_url	https://usn.ubuntu.com/7642-1/
reference_id	USN-7642-1
reference_type
scores
url	https://usn.ubuntu.com/7642-1/

fixed_packages

url pkg:pypi/aiohttp@3.9.4

purl pkg:pypi/aiohttp@3.9.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-d3pa-kwgz-vuag

vulnerability	VCID-ft9z-nd6x-27dz

vulnerability	VCID-k122-7d38-2ug5

vulnerability	VCID-peyu-fxyx-ayde

vulnerability	VCID-qrus-4szm-c3bj

vulnerability	VCID-sjws-ddnq-fke2

vulnerability	VCID-t9gx-etxx-vkgb

vulnerability	VCID-vqvz-jfqh-jkaz

vulnerability	VCID-zm3a-mf2z-xfcm

vulnerability	VCID-zrgm-47ph-x3g3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.4

aliases CVE-2024-30251, GHSA-5m98-qgg9-wh84

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bhkk-2b7c-wfgr

url VCID-d3pa-kwgz-vuag

vulnerability_id VCID-d3pa-kwgz-vuag

summary

AIOHTTP vulnerable to  denial of service through large payloads
### Summary
A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.

### Impact
If an application includes a handler that uses the `Request.post()` method, an attacker may be able to freeze the server by exhausting the memory.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69228.json

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69228.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-69228

reference_id

reference_type

scores

value	0.00063
scoring_system	epss
scoring_elements	0.19572
published_at	2026-04-18T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19782
published_at	2026-04-02T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19835
published_at	2026-04-04T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19557
published_at	2026-04-07T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19637
published_at	2026-04-08T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19689
published_at	2026-04-09T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19695
published_at	2026-04-11T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19646
published_at	2026-04-12T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19587
published_at	2026-04-13T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19565
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-69228

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69228
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69228

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:03Z/

url

https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:03Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-69228

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-69228

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2427254
reference_id	2427254
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2427254

reference_url

https://github.com/advisories/GHSA-6jhg-hg63-jvvf

reference_id

GHSA-6jhg-hg63-jvvf

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6jhg-hg63-jvvf

reference_url	https://access.redhat.com/errata/RHSA-2026:3782
reference_id	RHSA-2026:3782
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3782

reference_url	https://access.redhat.com/errata/RHSA-2026:5809
reference_id	RHSA-2026:5809
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:5809

reference_url	https://access.redhat.com/errata/RHSA-2026:6761
reference_id	RHSA-2026:6761
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6761

reference_url	https://access.redhat.com/errata/RHSA-2026:6762
reference_id	RHSA-2026:6762
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6762

reference_url	https://usn.ubuntu.com/8032-1/
reference_id	USN-8032-1
reference_type
scores
url	https://usn.ubuntu.com/8032-1/

fixed_packages

url pkg:pypi/aiohttp@3.13.3

purl pkg:pypi/aiohttp@3.13.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19q4-vzzb-8uca

vulnerability	VCID-5f1f-mrwv-zucz

vulnerability	VCID-cg9h-fysf-xygf

vulnerability	VCID-dr2r-7qda-tfh5

vulnerability	VCID-drqp-x9gc-2qd3

vulnerability	VCID-g4rj-1kzy-pkft

vulnerability	VCID-hyh4-58xy-xfge

vulnerability	VCID-kf4p-q9n9-ayhn

vulnerability	VCID-qt9z-6kwe-wbht

vulnerability	VCID-tmjw-8cdt-7yf7

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3

aliases CVE-2025-69228, GHSA-6jhg-hg63-jvvf

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d3pa-kwgz-vuag

url VCID-ft9z-nd6x-27dz

vulnerability_id VCID-ft9z-nd6x-27dz

summary

AIOHTTP has unicode match groups in regexes for ASCII protocol elements
### Summary

The parser allows non-ASCII decimals to be present in the Range header.

### Impact

There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.

----

Patch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69225.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69225.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-69225

reference_id

reference_type

scores

value	0.00045
scoring_system	epss
scoring_elements	0.13833
published_at	2026-04-18T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.14072
published_at	2026-04-02T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.14126
published_at	2026-04-04T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.13932
published_at	2026-04-07T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.14014
published_at	2026-04-08T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.14067
published_at	2026-04-09T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.14022
published_at	2026-04-11T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.13985
published_at	2026-04-12T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.13935
published_at	2026-04-13T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.13839
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-69225

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69225
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69225

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:19Z/

url

https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x8

reference_id

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:19Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x8

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-69225

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-69225

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2427253
reference_id	2427253
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2427253

reference_url

https://github.com/advisories/GHSA-mqqc-3gqh-h2x8

reference_id

GHSA-mqqc-3gqh-h2x8

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mqqc-3gqh-h2x8

reference_url	https://usn.ubuntu.com/8032-1/
reference_id	USN-8032-1
reference_type
scores
url	https://usn.ubuntu.com/8032-1/

fixed_packages

url pkg:pypi/aiohttp@3.13.3

purl pkg:pypi/aiohttp@3.13.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19q4-vzzb-8uca

vulnerability	VCID-5f1f-mrwv-zucz

vulnerability	VCID-cg9h-fysf-xygf

vulnerability	VCID-dr2r-7qda-tfh5

vulnerability	VCID-drqp-x9gc-2qd3

vulnerability	VCID-g4rj-1kzy-pkft

vulnerability	VCID-hyh4-58xy-xfge

vulnerability	VCID-kf4p-q9n9-ayhn

vulnerability	VCID-qt9z-6kwe-wbht

vulnerability	VCID-tmjw-8cdt-7yf7

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3

aliases CVE-2025-69225, GHSA-mqqc-3gqh-h2x8

risk_score 2.5

exploitability 0.5

weighted_severity 4.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ft9z-nd6x-27dz

url VCID-jxqg-x9dh-z3hb

vulnerability_id VCID-jxqg-x9dh-z3hb

summary aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23829.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23829.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-23829

reference_id

reference_type

scores

value	0.00515
scoring_system	epss
scoring_elements	0.66588
published_at	2026-04-07T12:55:00Z

value	0.00515
scoring_system	epss
scoring_elements	0.66617
published_at	2026-04-04T12:55:00Z

value	0.00515
scoring_system	epss
scoring_elements	0.66674
published_at	2026-04-18T12:55:00Z

value	0.00515
scoring_system	epss
scoring_elements	0.6659
published_at	2026-04-02T12:55:00Z

value	0.00515
scoring_system	epss
scoring_elements	0.6666
published_at	2026-04-16T12:55:00Z

value	0.00515
scoring_system	epss
scoring_elements	0.66624
published_at	2026-04-13T12:55:00Z

value	0.00515
scoring_system	epss
scoring_elements	0.66657
published_at	2026-04-12T12:55:00Z

value	0.00515
scoring_system	epss
scoring_elements	0.66669
published_at	2026-04-11T12:55:00Z

value	0.00515
scoring_system	epss
scoring_elements	0.6665
published_at	2026-04-09T12:55:00Z

value	0.00515
scoring_system	epss
scoring_elements	0.66636
published_at	2026-04-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-23829

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23829
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23829

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-01T16:40:08Z/

url

https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827

reference_url

https://github.com/aio-libs/aiohttp/pull/3235

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp/pull/3235

reference_url

https://github.com/aio-libs/aiohttp/pull/8074

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-01T16:40:08Z/

url

https://github.com/aio-libs/aiohttp/pull/8074

reference_url

https://github.com/aio-libs/aiohttp/pull/8074/files

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp/pull/8074/files

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-01T16:40:08Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-26.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-26.yaml

reference_url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-01T16:40:08Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-23829

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-23829

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062708
reference_id	1062708
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062708

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2261909
reference_id	2261909
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2261909

reference_url

https://github.com/advisories/GHSA-8qpw-xqxj-h4r2

reference_id

GHSA-8qpw-xqxj-h4r2

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8qpw-xqxj-h4r2

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/

reference_id

ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-01T16:40:08Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/

reference_url	https://access.redhat.com/errata/RHSA-2024:1878
reference_id	RHSA-2024:1878
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1878

reference_url	https://usn.ubuntu.com/7642-1/
reference_id	USN-7642-1
reference_type
scores
url	https://usn.ubuntu.com/7642-1/

fixed_packages

url pkg:pypi/aiohttp@3.9.2

purl pkg:pypi/aiohttp@3.9.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bhkk-2b7c-wfgr

vulnerability	VCID-d3pa-kwgz-vuag

vulnerability	VCID-ft9z-nd6x-27dz

vulnerability	VCID-k122-7d38-2ug5

vulnerability	VCID-peyu-fxyx-ayde

vulnerability	VCID-qrus-4szm-c3bj

vulnerability	VCID-sjws-ddnq-fke2

vulnerability	VCID-t9gx-etxx-vkgb

vulnerability	VCID-tn28-662n-vug8

vulnerability	VCID-vqvz-jfqh-jkaz

vulnerability	VCID-zm3a-mf2z-xfcm

vulnerability	VCID-zrgm-47ph-x3g3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.2

aliases CVE-2024-23829, GHSA-8qpw-xqxj-h4r2, PYSEC-2024-26

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jxqg-x9dh-z3hb

url VCID-k122-7d38-2ug5

vulnerability_id VCID-k122-7d38-2ug5

summary

AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
### Summary
The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.

### Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

----

Patch: https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53643.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53643.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-53643

reference_id

reference_type

scores

value	0.00078
scoring_system	epss
scoring_elements	0.23078
published_at	2026-04-07T12:55:00Z

value	0.00078
scoring_system	epss
scoring_elements	0.23289
published_at	2026-04-04T12:55:00Z

value	0.00078
scoring_system	epss
scoring_elements	0.23245
published_at	2026-04-02T12:55:00Z

value	0.00078
scoring_system	epss
scoring_elements	0.23152
published_at	2026-04-08T12:55:00Z

value	0.00086
scoring_system	epss
scoring_elements	0.24852
published_at	2026-04-18T12:55:00Z

value	0.00086
scoring_system	epss
scoring_elements	0.24925
published_at	2026-04-09T12:55:00Z

value	0.00086
scoring_system	epss
scoring_elements	0.24901
published_at	2026-04-12T12:55:00Z

value	0.00086
scoring_system	epss
scoring_elements	0.2494
published_at	2026-04-11T12:55:00Z

value	0.00086
scoring_system	epss
scoring_elements	0.24858
published_at	2026-04-16T12:55:00Z

value	0.00086
scoring_system	epss
scoring_elements	0.24847
published_at	2026-04-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-53643

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53643
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53643

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	1.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a

reference_id

reference_type

scores

value	1.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-15T14:43:18Z/

url

https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj

reference_id

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	1.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-15T14:43:18Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-53643

reference_id

reference_type

scores

value	1.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-53643

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109336
reference_id	1109336
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109336

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2380000
reference_id	2380000
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2380000

reference_url

https://github.com/advisories/GHSA-9548-qrrj-x5pj

reference_id

GHSA-9548-qrrj-x5pj

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9548-qrrj-x5pj

reference_url	https://access.redhat.com/errata/RHSA-2025:22759
reference_id	RHSA-2025:22759
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:22759

reference_url	https://access.redhat.com/errata/RHSA-2025:22939
reference_id	RHSA-2025:22939
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:22939

reference_url	https://access.redhat.com/errata/RHSA-2025:22944
reference_id	RHSA-2025:22944
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:22944

reference_url	https://access.redhat.com/errata/RHSA-2025:23531
reference_id	RHSA-2025:23531
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23531

reference_url	https://access.redhat.com/errata/RHSA-2026:1249
reference_id	RHSA-2026:1249
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1249

reference_url	https://access.redhat.com/errata/RHSA-2026:1506
reference_id	RHSA-2026:1506
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1506

reference_url	https://access.redhat.com/errata/RHSA-2026:2760
reference_id	RHSA-2026:2760
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2760

reference_url	https://access.redhat.com/errata/RHSA-2026:3960
reference_id	RHSA-2026:3960
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3960

fixed_packages

url pkg:pypi/aiohttp@3.12.14

purl pkg:pypi/aiohttp@3.12.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-d3pa-kwgz-vuag

vulnerability	VCID-ft9z-nd6x-27dz

vulnerability	VCID-peyu-fxyx-ayde

vulnerability	VCID-qrus-4szm-c3bj

vulnerability	VCID-sjws-ddnq-fke2

vulnerability	VCID-t9gx-etxx-vkgb

vulnerability	VCID-vqvz-jfqh-jkaz

vulnerability	VCID-zm3a-mf2z-xfcm

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.12.14

aliases CVE-2025-53643, GHSA-9548-qrrj-x5pj

risk_score 1.6

exploitability 0.5

weighted_severity 3.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k122-7d38-2ug5

url VCID-peyu-fxyx-ayde

vulnerability_id VCID-peyu-fxyx-ayde

summary

AIOHTTP vulnerable to DoS through chunked messages
### Summary

Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.

### Impact

If an application makes use of the `request.read()` method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
Patch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69229.json

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69229.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-69229

reference_id

reference_type

scores

value	0.00052
scoring_system	epss
scoring_elements	0.16223
published_at	2026-04-18T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16204
published_at	2026-04-16T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16268
published_at	2026-04-13T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16336
published_at	2026-04-12T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16391
published_at	2026-04-02T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16392
published_at	2026-04-09T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16328
published_at	2026-04-08T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16243
published_at	2026-04-07T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16454
published_at	2026-04-04T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16375
published_at	2026-04-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-69229

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69229
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69229

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:24:45Z/

url

https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229

reference_url

https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:24:45Z/

url

https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:24:45Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-69229

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-69229

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2427257
reference_id	2427257
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2427257

reference_url

https://github.com/advisories/GHSA-g84x-mcqj-x9qq

reference_id

GHSA-g84x-mcqj-x9qq

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-g84x-mcqj-x9qq

reference_url	https://usn.ubuntu.com/8032-1/
reference_id	USN-8032-1
reference_type
scores
url	https://usn.ubuntu.com/8032-1/

fixed_packages

url pkg:pypi/aiohttp@3.13.3

purl pkg:pypi/aiohttp@3.13.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19q4-vzzb-8uca

vulnerability	VCID-5f1f-mrwv-zucz

vulnerability	VCID-cg9h-fysf-xygf

vulnerability	VCID-dr2r-7qda-tfh5

vulnerability	VCID-drqp-x9gc-2qd3

vulnerability	VCID-g4rj-1kzy-pkft

vulnerability	VCID-hyh4-58xy-xfge

vulnerability	VCID-kf4p-q9n9-ayhn

vulnerability	VCID-qt9z-6kwe-wbht

vulnerability	VCID-tmjw-8cdt-7yf7

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3

aliases CVE-2025-69229, GHSA-g84x-mcqj-x9qq

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-peyu-fxyx-ayde

url VCID-pqus-ew4j-k7da

vulnerability_id VCID-pqus-ew4j-k7da

summary aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23334.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23334.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-23334

reference_id

reference_type

scores

value	0.93482
scoring_system	epss
scoring_elements	0.99822
published_at	2026-04-11T12:55:00Z

value	0.93482
scoring_system	epss
scoring_elements	0.99824
published_at	2026-04-18T12:55:00Z

value	0.93482
scoring_system	epss
scoring_elements	0.99821
published_at	2026-04-07T12:55:00Z

value	0.93482
scoring_system	epss
scoring_elements	0.99823
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-23334

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23334
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23334

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T19:29:24Z/

url

https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

reference_url

https://github.com/aio-libs/aiohttp/pull/8079

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T19:29:24Z/

url

https://github.com/aio-libs/aiohttp/pull/8079

reference_url

https://github.com/aio-libs/aiohttp/pull/8079/files

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp/pull/8079/files

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T19:29:24Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-24.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-24.yaml

reference_url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T19:29:24Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-23334

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-23334

reference_url

https://www.exploit-db.com/exploits/52474

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.exploit-db.com/exploits/52474

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062709
reference_id	1062709
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062709

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2261887
reference_id	2261887
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2261887

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/webapps/52474.txt
reference_id	CVE-2024-23334
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/webapps/52474.txt

reference_url

https://github.com/advisories/GHSA-5h86-8mv2-jq9f

reference_id

GHSA-5h86-8mv2-jq9f

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5h86-8mv2-jq9f

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/

reference_id

ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T19:29:24Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/

reference_url	https://access.redhat.com/errata/RHSA-2024:1878
reference_id	RHSA-2024:1878
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1878

reference_url	https://usn.ubuntu.com/6991-1/
reference_id	USN-6991-1
reference_type
scores
url	https://usn.ubuntu.com/6991-1/

fixed_packages

url pkg:pypi/aiohttp@3.9.2

purl pkg:pypi/aiohttp@3.9.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bhkk-2b7c-wfgr

vulnerability	VCID-d3pa-kwgz-vuag

vulnerability	VCID-ft9z-nd6x-27dz

vulnerability	VCID-k122-7d38-2ug5

vulnerability	VCID-peyu-fxyx-ayde

vulnerability	VCID-qrus-4szm-c3bj

vulnerability	VCID-sjws-ddnq-fke2

vulnerability	VCID-t9gx-etxx-vkgb

vulnerability	VCID-tn28-662n-vug8

vulnerability	VCID-vqvz-jfqh-jkaz

vulnerability	VCID-zm3a-mf2z-xfcm

vulnerability	VCID-zrgm-47ph-x3g3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.2

aliases CVE-2024-23334, GHSA-5h86-8mv2-jq9f, PYSEC-2024-24

risk_score 10.0

exploitability 2.0

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pqus-ew4j-k7da

url VCID-qrus-4szm-c3bj

vulnerability_id VCID-qrus-4szm-c3bj

summary

AIOHTTP's unicode processing of header values could cause parsing discrepancies
### Summary
The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.

### Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

------

Patch: https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69224.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69224.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-69224

reference_id

reference_type

scores

value	0.00043
scoring_system	epss
scoring_elements	0.13164
published_at	2026-04-18T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13165
published_at	2026-04-16T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13259
published_at	2026-04-13T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13308
published_at	2026-04-12T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13346
published_at	2026-04-11T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13376
published_at	2026-04-09T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13325
published_at	2026-04-08T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13243
published_at	2026-04-07T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13383
published_at	2026-04-02T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13447
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-69224

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69224
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69224

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:43Z/

url

https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2

reference_id

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:43Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-69224

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-69224

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2427246
reference_id	2427246
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2427246

reference_url

https://github.com/advisories/GHSA-69f9-5gxw-wvc2

reference_id

GHSA-69f9-5gxw-wvc2

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-69f9-5gxw-wvc2

reference_url	https://usn.ubuntu.com/8032-1/
reference_id	USN-8032-1
reference_type
scores
url	https://usn.ubuntu.com/8032-1/

fixed_packages

url pkg:pypi/aiohttp@3.13.3

purl pkg:pypi/aiohttp@3.13.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19q4-vzzb-8uca

vulnerability	VCID-5f1f-mrwv-zucz

vulnerability	VCID-cg9h-fysf-xygf

vulnerability	VCID-dr2r-7qda-tfh5

vulnerability	VCID-drqp-x9gc-2qd3

vulnerability	VCID-g4rj-1kzy-pkft

vulnerability	VCID-hyh4-58xy-xfge

vulnerability	VCID-kf4p-q9n9-ayhn

vulnerability	VCID-qt9z-6kwe-wbht

vulnerability	VCID-tmjw-8cdt-7yf7

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3

aliases CVE-2025-69224, GHSA-69f9-5gxw-wvc2

risk_score 2.9

exploitability 0.5

weighted_severity 5.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qrus-4szm-c3bj

url VCID-sjws-ddnq-fke2

vulnerability_id VCID-sjws-ddnq-fke2

summary

AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
### Summary
A zip bomb can be used to execute a DoS against the aiohttp server.

### Impact
An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.

------

Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69223.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69223.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-69223

reference_id

reference_type

scores

value	0.00063
scoring_system	epss
scoring_elements	0.19572
published_at	2026-04-18T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19782
published_at	2026-04-02T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19835
published_at	2026-04-04T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19557
published_at	2026-04-07T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19637
published_at	2026-04-08T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19689
published_at	2026-04-09T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19695
published_at	2026-04-11T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19646
published_at	2026-04-12T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19587
published_at	2026-04-13T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19565
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-69223

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69223
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69223

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:17Z/

url

https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:17Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-69223

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-69223

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2427456
reference_id	2427456
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2427456

reference_url

https://github.com/advisories/GHSA-6mq8-rvhq-8wgg

reference_id

GHSA-6mq8-rvhq-8wgg

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6mq8-rvhq-8wgg

reference_url	https://access.redhat.com/errata/RHSA-2026:1249
reference_id	RHSA-2026:1249
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1249

reference_url	https://access.redhat.com/errata/RHSA-2026:1497
reference_id	RHSA-2026:1497
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1497

reference_url	https://access.redhat.com/errata/RHSA-2026:1506
reference_id	RHSA-2026:1506
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1506

reference_url	https://access.redhat.com/errata/RHSA-2026:1596
reference_id	RHSA-2026:1596
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1596

reference_url	https://access.redhat.com/errata/RHSA-2026:1599
reference_id	RHSA-2026:1599
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1599

reference_url	https://access.redhat.com/errata/RHSA-2026:1609
reference_id	RHSA-2026:1609
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1609

reference_url	https://access.redhat.com/errata/RHSA-2026:2106
reference_id	RHSA-2026:2106
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2106

reference_url	https://access.redhat.com/errata/RHSA-2026:2695
reference_id	RHSA-2026:2695
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2695

reference_url	https://access.redhat.com/errata/RHSA-2026:3461
reference_id	RHSA-2026:3461
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3461

reference_url	https://access.redhat.com/errata/RHSA-2026:3462
reference_id	RHSA-2026:3462
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3462

reference_url	https://access.redhat.com/errata/RHSA-2026:3713
reference_id	RHSA-2026:3713
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3713

reference_url	https://access.redhat.com/errata/RHSA-2026:3782
reference_id	RHSA-2026:3782
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3782

reference_url	https://access.redhat.com/errata/RHSA-2026:3958
reference_id	RHSA-2026:3958
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3958

reference_url	https://access.redhat.com/errata/RHSA-2026:3959
reference_id	RHSA-2026:3959
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3959

reference_url	https://access.redhat.com/errata/RHSA-2026:3960
reference_id	RHSA-2026:3960
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3960

reference_url	https://access.redhat.com/errata/RHSA-2026:6308
reference_id	RHSA-2026:6308
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6308

reference_url	https://access.redhat.com/errata/RHSA-2026:6309
reference_id	RHSA-2026:6309
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6309

reference_url	https://access.redhat.com/errata/RHSA-2026:6404
reference_id	RHSA-2026:6404
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6404

reference_url	https://usn.ubuntu.com/8032-1/
reference_id	USN-8032-1
reference_type
scores
url	https://usn.ubuntu.com/8032-1/

fixed_packages

url pkg:pypi/aiohttp@3.13.3

purl pkg:pypi/aiohttp@3.13.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19q4-vzzb-8uca

vulnerability	VCID-5f1f-mrwv-zucz

vulnerability	VCID-cg9h-fysf-xygf

vulnerability	VCID-dr2r-7qda-tfh5

vulnerability	VCID-drqp-x9gc-2qd3

vulnerability	VCID-g4rj-1kzy-pkft

vulnerability	VCID-hyh4-58xy-xfge

vulnerability	VCID-kf4p-q9n9-ayhn

vulnerability	VCID-qt9z-6kwe-wbht

vulnerability	VCID-tmjw-8cdt-7yf7

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3

aliases CVE-2025-69223, GHSA-6mq8-rvhq-8wgg

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sjws-ddnq-fke2

url VCID-t9gx-etxx-vkgb

vulnerability_id VCID-t9gx-etxx-vkgb

summary

AIOHTTP vulnerable to DoS when bypassing asserts
### Summary
When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.

### Impact
If optimisations are enabled (`-O` or `PYTHONOPTIMIZE=1`), and the application includes a handler that uses the `Request.post()` method, then an attacker may be able to execute a DoS attack with a specially crafted message.

------

Patch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69227.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69227.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-69227

reference_id

reference_type

scores

value	0.00063
scoring_system	epss
scoring_elements	0.19572
published_at	2026-04-18T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19782
published_at	2026-04-02T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19835
published_at	2026-04-04T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19557
published_at	2026-04-07T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19637
published_at	2026-04-08T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19689
published_at	2026-04-09T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19695
published_at	2026-04-11T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19646
published_at	2026-04-12T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19587
published_at	2026-04-13T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19565
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-69227

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69227
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69227

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:12Z/

url

https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:12Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-69227

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-69227

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2427256
reference_id	2427256
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2427256

reference_url

https://github.com/advisories/GHSA-jj3x-wxrx-4x23

reference_id

GHSA-jj3x-wxrx-4x23

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jj3x-wxrx-4x23

reference_url	https://access.redhat.com/errata/RHSA-2026:3782
reference_id	RHSA-2026:3782
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3782

reference_url	https://access.redhat.com/errata/RHSA-2026:5809
reference_id	RHSA-2026:5809
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:5809

reference_url	https://access.redhat.com/errata/RHSA-2026:6761
reference_id	RHSA-2026:6761
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6761

reference_url	https://access.redhat.com/errata/RHSA-2026:6762
reference_id	RHSA-2026:6762
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6762

reference_url	https://usn.ubuntu.com/8032-1/
reference_id	USN-8032-1
reference_type
scores
url	https://usn.ubuntu.com/8032-1/

fixed_packages

url pkg:pypi/aiohttp@3.13.3

purl pkg:pypi/aiohttp@3.13.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19q4-vzzb-8uca

vulnerability	VCID-5f1f-mrwv-zucz

vulnerability	VCID-cg9h-fysf-xygf

vulnerability	VCID-dr2r-7qda-tfh5

vulnerability	VCID-drqp-x9gc-2qd3

vulnerability	VCID-g4rj-1kzy-pkft

vulnerability	VCID-hyh4-58xy-xfge

vulnerability	VCID-kf4p-q9n9-ayhn

vulnerability	VCID-qt9z-6kwe-wbht

vulnerability	VCID-tmjw-8cdt-7yf7

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3

aliases CVE-2025-69227, GHSA-jj3x-wxrx-4x23

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t9gx-etxx-vkgb

url VCID-tn28-662n-vug8

vulnerability_id VCID-tn28-662n-vug8

summary

aiohttp Cross-site Scripting vulnerability on index pages for static file handling
### Summary

A XSS vulnerability exists on index pages for static file handling.

### Details

When using `web.static(..., show_index=True)`, the resulting index pages do not escape file names.

If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.

### Workaround

We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.

Other users can disable `show_index` if unable to upgrade.

-----

Patch: https://github.com/aio-libs/aiohttp/pull/8319/files

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27306.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27306.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-27306

reference_id

reference_type

scores

value	0.00749
scoring_system	epss
scoring_elements	0.73167
published_at	2026-04-18T12:55:00Z

value	0.00749
scoring_system	epss
scoring_elements	0.73158
published_at	2026-04-16T12:55:00Z

value	0.00749
scoring_system	epss
scoring_elements	0.73115
published_at	2026-04-13T12:55:00Z

value	0.00749
scoring_system	epss
scoring_elements	0.73121
published_at	2026-04-12T12:55:00Z

value	0.00749
scoring_system	epss
scoring_elements	0.73141
published_at	2026-04-11T12:55:00Z

value	0.00749
scoring_system	epss
scoring_elements	0.73117
published_at	2026-04-09T12:55:00Z

value	0.00749
scoring_system	epss
scoring_elements	0.73066
published_at	2026-04-07T12:55:00Z

value	0.00749
scoring_system	epss
scoring_elements	0.73103
published_at	2026-04-08T12:55:00Z

value	0.00749
scoring_system	epss
scoring_elements	0.73072
published_at	2026-04-02T12:55:00Z

value	0.00749
scoring_system	epss
scoring_elements	0.73092
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-27306

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27306
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27306

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:36:48Z/

url

https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397

reference_url

https://github.com/aio-libs/aiohttp/pull/8319

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:36:48Z/

url

https://github.com/aio-libs/aiohttp/pull/8319

reference_url

https://github.com/aio-libs/aiohttp/pull/8319/files

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp/pull/8319/files

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:36:48Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g

reference_url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-27306

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-27306

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070665
reference_id	1070665
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070665

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2275989
reference_id	2275989
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2275989

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP/

reference_id

2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:36:48Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP/

reference_url

https://github.com/advisories/GHSA-7gpw-8wmc-pm8g

reference_id

GHSA-7gpw-8wmc-pm8g

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7gpw-8wmc-pm8g

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U/

reference_id

NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:36:48Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U/

reference_url	https://access.redhat.com/errata/RHSA-2024:3781
reference_id	RHSA-2024:3781
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:3781

reference_url	https://access.redhat.com/errata/RHSA-2024:5662
reference_id	RHSA-2024:5662
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5662

reference_url	https://access.redhat.com/errata/RHSA-2025:1335
reference_id	RHSA-2025:1335
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:1335

reference_url	https://usn.ubuntu.com/7642-1/
reference_id	USN-7642-1
reference_type
scores
url	https://usn.ubuntu.com/7642-1/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3/

reference_id

ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-25T19:36:48Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3/

fixed_packages

url pkg:pypi/aiohttp@3.9.4

purl pkg:pypi/aiohttp@3.9.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-d3pa-kwgz-vuag

vulnerability	VCID-ft9z-nd6x-27dz

vulnerability	VCID-k122-7d38-2ug5

vulnerability	VCID-peyu-fxyx-ayde

vulnerability	VCID-qrus-4szm-c3bj

vulnerability	VCID-sjws-ddnq-fke2

vulnerability	VCID-t9gx-etxx-vkgb

vulnerability	VCID-vqvz-jfqh-jkaz

vulnerability	VCID-zm3a-mf2z-xfcm

vulnerability	VCID-zrgm-47ph-x3g3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.4

aliases CVE-2024-27306, GHSA-7gpw-8wmc-pm8g

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tn28-662n-vug8

url VCID-ue33-na1g-rqa7

vulnerability_id VCID-ue33-na1g-rqa7

summary aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49082.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49082.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-49082

reference_id

reference_type

scores

value	0.00221
scoring_system	epss
scoring_elements	0.44786
published_at	2026-04-09T12:55:00Z

value	0.00221
scoring_system	epss
scoring_elements	0.4482
published_at	2026-04-18T12:55:00Z

value	0.00221
scoring_system	epss
scoring_elements	0.44826
published_at	2026-04-16T12:55:00Z

value	0.00221
scoring_system	epss
scoring_elements	0.44773
published_at	2026-04-13T12:55:00Z

value	0.00221
scoring_system	epss
scoring_elements	0.44772
published_at	2026-04-12T12:55:00Z

value	0.00221
scoring_system	epss
scoring_elements	0.44802
published_at	2026-04-11T12:55:00Z

value	0.00221
scoring_system	epss
scoring_elements	0.44783
published_at	2026-04-08T12:55:00Z

value	0.00221
scoring_system	epss
scoring_elements	0.4473
published_at	2026-04-07T12:55:00Z

value	0.00221
scoring_system	epss
scoring_elements	0.44791
published_at	2026-04-04T12:55:00Z

value	0.00221
scoring_system	epss
scoring_elements	0.4477
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-49082

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49082
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49082

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466

reference_url

https://github.com/aio-libs/aiohttp/pull/7806/files

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp/pull/7806/files

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-251.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-251.yaml

reference_url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057164
reference_id	1057164
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057164

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2252248
reference_id	2252248
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2252248

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-49082

reference_id

CVE-2023-49082

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-49082

reference_url

https://github.com/advisories/GHSA-qvrw-v9rv-5rjx

reference_id

GHSA-qvrw-v9rv-5rjx

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qvrw-v9rv-5rjx

reference_url	https://security.gentoo.org/glsa/202408-11
reference_id	GLSA-202408-11
reference_type
scores
url	https://security.gentoo.org/glsa/202408-11

reference_url	https://access.redhat.com/errata/RHSA-2024:1057
reference_id	RHSA-2024:1057
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1057

reference_url	https://access.redhat.com/errata/RHSA-2024:1878
reference_id	RHSA-2024:1878
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1878

reference_url	https://usn.ubuntu.com/7642-1/
reference_id	USN-7642-1
reference_type
scores
url	https://usn.ubuntu.com/7642-1/

fixed_packages

url pkg:pypi/aiohttp@3.9.0

purl pkg:pypi/aiohttp@3.9.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bhkk-2b7c-wfgr

vulnerability	VCID-d3pa-kwgz-vuag

vulnerability	VCID-ft9z-nd6x-27dz

vulnerability	VCID-jxqg-x9dh-z3hb

vulnerability	VCID-k122-7d38-2ug5

vulnerability	VCID-peyu-fxyx-ayde

vulnerability	VCID-pqus-ew4j-k7da

vulnerability	VCID-qrus-4szm-c3bj

vulnerability	VCID-sjws-ddnq-fke2

vulnerability	VCID-t9gx-etxx-vkgb

vulnerability	VCID-tn28-662n-vug8

vulnerability	VCID-vqvz-jfqh-jkaz

vulnerability	VCID-zm3a-mf2z-xfcm

vulnerability	VCID-zrgm-47ph-x3g3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.0

aliases CVE-2023-49082, GHSA-qvrw-v9rv-5rjx, PYSEC-2023-251

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ue33-na1g-rqa7

url VCID-vqvz-jfqh-jkaz

vulnerability_id VCID-vqvz-jfqh-jkaz

summary

AIOHTTP vulnerable to brute-force leak of internal static ﬁle path components
### Summary
Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the
existence of absolute path components.

### Impact
If an application uses `web.static()` (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.

------

Patch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69226.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69226.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-69226

reference_id

reference_type

scores

value	0.00063
scoring_system	epss
scoring_elements	0.19718
published_at	2026-04-18T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19716
published_at	2026-04-16T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19741
published_at	2026-04-13T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19798
published_at	2026-04-12T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19843
published_at	2026-04-11T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.1984
published_at	2026-04-09T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19982
published_at	2026-04-04T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19788
published_at	2026-04-08T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19927
published_at	2026-04-02T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19708
published_at	2026-04-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-69226

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69226
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69226

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:35Z/

url

https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76

reference_id

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:25:35Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-69226

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-69226

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2427245
reference_id	2427245
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2427245

reference_url

https://github.com/advisories/GHSA-54jq-c3m8-4m76

reference_id

GHSA-54jq-c3m8-4m76

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-54jq-c3m8-4m76

reference_url	https://usn.ubuntu.com/8032-1/
reference_id	USN-8032-1
reference_type
scores
url	https://usn.ubuntu.com/8032-1/

fixed_packages

url pkg:pypi/aiohttp@3.13.3

purl pkg:pypi/aiohttp@3.13.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19q4-vzzb-8uca

vulnerability	VCID-5f1f-mrwv-zucz

vulnerability	VCID-cg9h-fysf-xygf

vulnerability	VCID-dr2r-7qda-tfh5

vulnerability	VCID-drqp-x9gc-2qd3

vulnerability	VCID-g4rj-1kzy-pkft

vulnerability	VCID-hyh4-58xy-xfge

vulnerability	VCID-kf4p-q9n9-ayhn

vulnerability	VCID-qt9z-6kwe-wbht

vulnerability	VCID-tmjw-8cdt-7yf7

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3

aliases CVE-2025-69226, GHSA-54jq-c3m8-4m76

risk_score 2.9

exploitability 0.5

weighted_severity 5.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vqvz-jfqh-jkaz

url VCID-zm3a-mf2z-xfcm

vulnerability_id VCID-zm3a-mf2z-xfcm

summary

AIOHTTP Vulnerable to Cookie Parser Warning Storm
### Summary
Reading multiple invalid cookies can lead to a logging storm.

### Impact
If the ``cookies`` attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.

----

Patch: https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69230.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69230.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-69230

reference_id

reference_type

scores

value	0.00014
scoring_system	epss
scoring_elements	0.02533
published_at	2026-04-18T12:55:00Z

value	0.00014
scoring_system	epss
scoring_elements	0.02528
published_at	2026-04-16T12:55:00Z

value	0.00014
scoring_system	epss
scoring_elements	0.02541
published_at	2026-04-13T12:55:00Z

value	0.00014
scoring_system	epss
scoring_elements	0.02554
published_at	2026-04-11T12:55:00Z

value	0.00014
scoring_system	epss
scoring_elements	0.02572
published_at	2026-04-09T12:55:00Z

value	0.00014
scoring_system	epss
scoring_elements	0.02551
published_at	2026-04-08T12:55:00Z

value	0.00014
scoring_system	epss
scoring_elements	0.02546
published_at	2026-04-07T12:55:00Z

value	0.00014
scoring_system	epss
scoring_elements	0.02529
published_at	2026-04-02T12:55:00Z

value	0.00014
scoring_system	epss
scoring_elements	0.02543
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-69230

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69230
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69230

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:24:37Z/

url

https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-fh55-r93g-j68g

reference_id

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:24:37Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-fh55-r93g-j68g

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-69230

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-69230

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2427255
reference_id	2427255
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2427255

reference_url

https://github.com/advisories/GHSA-fh55-r93g-j68g

reference_id

GHSA-fh55-r93g-j68g

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fh55-r93g-j68g

fixed_packages

url pkg:pypi/aiohttp@3.13.3

purl pkg:pypi/aiohttp@3.13.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19q4-vzzb-8uca

vulnerability	VCID-5f1f-mrwv-zucz

vulnerability	VCID-cg9h-fysf-xygf

vulnerability	VCID-dr2r-7qda-tfh5

vulnerability	VCID-drqp-x9gc-2qd3

vulnerability	VCID-g4rj-1kzy-pkft

vulnerability	VCID-hyh4-58xy-xfge

vulnerability	VCID-kf4p-q9n9-ayhn

vulnerability	VCID-qt9z-6kwe-wbht

vulnerability	VCID-tmjw-8cdt-7yf7

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.13.3

aliases CVE-2025-69230, GHSA-fh55-r93g-j68g

risk_score 2.5

exploitability 0.5

weighted_severity 4.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zm3a-mf2z-xfcm

url VCID-zrgm-47ph-x3g3

vulnerability_id VCID-zrgm-47ph-x3g3

summary

aiohttp allows request smuggling due to incorrect parsing of chunk extensions
### Summary
The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

### Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52304.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52304.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-52304

reference_id

reference_type

scores

value	0.00456
scoring_system	epss
scoring_elements	0.63921
published_at	2026-04-18T12:55:00Z

value	0.00456
scoring_system	epss
scoring_elements	0.63911
published_at	2026-04-16T12:55:00Z

value	0.00456
scoring_system	epss
scoring_elements	0.63876
published_at	2026-04-13T12:55:00Z

value	0.00456
scoring_system	epss
scoring_elements	0.63909
published_at	2026-04-12T12:55:00Z

value	0.00456
scoring_system	epss
scoring_elements	0.63923
published_at	2026-04-11T12:55:00Z

value	0.00456
scoring_system	epss
scoring_elements	0.6391
published_at	2026-04-09T12:55:00Z

value	0.00456
scoring_system	epss
scoring_elements	0.63892
published_at	2026-04-08T12:55:00Z

value	0.00456
scoring_system	epss
scoring_elements	0.63842
published_at	2026-04-07T12:55:00Z

value	0.00456
scoring_system	epss
scoring_elements	0.63858
published_at	2026-04-02T12:55:00Z

value	0.00456
scoring_system	epss
scoring_elements	0.63885
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-52304

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52304
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52304

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/aio-libs/aiohttp

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/aio-libs/aiohttp

reference_url

https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-19T15:38:44Z/

url

https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

reference_url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-19T15:38:44Z/

url

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr

reference_url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-52304

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-52304

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088109
reference_id	1088109
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088109

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2327130
reference_id	2327130
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2327130

reference_url

https://github.com/advisories/GHSA-8495-4g3g-x7pr

reference_id

GHSA-8495-4g3g-x7pr

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8495-4g3g-x7pr

reference_url	https://access.redhat.com/errata/RHSA-2024:10766
reference_id	RHSA-2024:10766
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:10766

reference_url	https://access.redhat.com/errata/RHSA-2024:11574
reference_id	RHSA-2024:11574
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:11574

reference_url	https://access.redhat.com/errata/RHSA-2025:0340
reference_id	RHSA-2025:0340
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:0340

reference_url	https://access.redhat.com/errata/RHSA-2025:0341
reference_id	RHSA-2025:0341
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:0341

reference_url	https://access.redhat.com/errata/RHSA-2025:0722
reference_id	RHSA-2025:0722
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:0722

reference_url	https://access.redhat.com/errata/RHSA-2025:0753
reference_id	RHSA-2025:0753
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:0753

reference_url	https://access.redhat.com/errata/RHSA-2025:1101
reference_id	RHSA-2025:1101
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:1101

reference_url	https://usn.ubuntu.com/7642-1/
reference_id	USN-7642-1
reference_type
scores
url	https://usn.ubuntu.com/7642-1/

fixed_packages

url pkg:pypi/aiohttp@3.10.11

purl pkg:pypi/aiohttp@3.10.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-d3pa-kwgz-vuag

vulnerability	VCID-ft9z-nd6x-27dz

vulnerability	VCID-k122-7d38-2ug5

vulnerability	VCID-peyu-fxyx-ayde

vulnerability	VCID-qrus-4szm-c3bj

vulnerability	VCID-sjws-ddnq-fke2

vulnerability	VCID-t9gx-etxx-vkgb

vulnerability	VCID-vqvz-jfqh-jkaz

vulnerability	VCID-zm3a-mf2z-xfcm

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.10.11

aliases CVE-2024-52304, GHSA-8495-4g3g-x7pr

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zrgm-47ph-x3g3

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.0rc0

Package Instance