Search for packages
| purl | pkg:pypi/aiohttp@3.9.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-bhkk-2b7c-wfgr
Aliases: CVE-2024-30251 GHSA-5m98-qgg9-wh84 |
aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests ### Summary An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. ### Impact An attacker can stop the application from serving requests after sending a single request. ------- For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in `_read_chunk_from_length()`): ```diff diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py index 227be605c..71fc2654a 100644 --- a/aiohttp/multipart.py +++ b/aiohttp/multipart.py @@ -338,6 +338,8 @@ class BodyPartReader: assert self._length is not None, "Content-Length required for chunked read" chunk_size = min(size, self._length - self._read_bytes) chunk = await self._content.read(chunk_size) + if self._content.at_eof(): + self._at_eof = True return chunk async def _read_chunk_from_stream(self, size: int) -> bytes: ``` This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in: https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19 https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597 https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866 |
Affected by 10 other vulnerabilities. |
|
VCID-d3pa-kwgz-vuag
Aliases: CVE-2025-69228 GHSA-6jhg-hg63-jvvf |
AIOHTTP vulnerable to denial of service through large payloads ### Summary A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing. ### Impact If an application includes a handler that uses the `Request.post()` method, an attacker may be able to freeze the server by exhausting the memory. ----- Patch: https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60 |
Affected by 10 other vulnerabilities. |
|
VCID-ft9z-nd6x-27dz
Aliases: CVE-2025-69225 GHSA-mqqc-3gqh-h2x8 |
AIOHTTP has unicode match groups in regexes for ASCII protocol elements ### Summary The parser allows non-ASCII decimals to be present in the Range header. ### Impact There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. ---- Patch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96 |
Affected by 10 other vulnerabilities. |
|
VCID-k122-7d38-2ug5
Aliases: CVE-2025-53643 GHSA-9548-qrrj-x5pj |
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections ### Summary The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ---- Patch: https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a |
Affected by 8 other vulnerabilities. |
|
VCID-peyu-fxyx-ayde
Aliases: CVE-2025-69229 GHSA-g84x-mcqj-x9qq |
AIOHTTP vulnerable to DoS through chunked messages ### Summary Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. ### Impact If an application makes use of the `request.read()` method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712 Patch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229 |
Affected by 10 other vulnerabilities. |
|
VCID-qrus-4szm-c3bj
Aliases: CVE-2025-69224 GHSA-69f9-5gxw-wvc2 |
AIOHTTP's unicode processing of header values could cause parsing discrepancies ### Summary The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ------ Patch: https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0 |
Affected by 10 other vulnerabilities. |
|
VCID-sjws-ddnq-fke2
Aliases: CVE-2025-69223 GHSA-6mq8-rvhq-8wgg |
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb ### Summary A zip bomb can be used to execute a DoS against the aiohttp server. ### Impact An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory. ------ Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a |
Affected by 10 other vulnerabilities. |
|
VCID-t9gx-etxx-vkgb
Aliases: CVE-2025-69227 GHSA-jj3x-wxrx-4x23 |
AIOHTTP vulnerable to DoS when bypassing asserts ### Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. ### Impact If optimisations are enabled (`-O` or `PYTHONOPTIMIZE=1`), and the application includes a handler that uses the `Request.post()` method, then an attacker may be able to execute a DoS attack with a specially crafted message. ------ Patch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259 |
Affected by 10 other vulnerabilities. |
|
VCID-tn28-662n-vug8
Aliases: CVE-2024-27306 GHSA-7gpw-8wmc-pm8g |
aiohttp Cross-site Scripting vulnerability on index pages for static file handling ### Summary A XSS vulnerability exists on index pages for static file handling. ### Details When using `web.static(..., show_index=True)`, the resulting index pages do not escape file names. If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks. ### Workaround We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. ----- Patch: https://github.com/aio-libs/aiohttp/pull/8319/files |
Affected by 10 other vulnerabilities. |
|
VCID-vqvz-jfqh-jkaz
Aliases: CVE-2025-69226 GHSA-54jq-c3m8-4m76 |
AIOHTTP vulnerable to brute-force leak of internal static file path components ### Summary Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components. ### Impact If an application uses `web.static()` (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. ------ Patch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e |
Affected by 10 other vulnerabilities. |
|
VCID-zm3a-mf2z-xfcm
Aliases: CVE-2025-69230 GHSA-fh55-r93g-j68g |
AIOHTTP Vulnerable to Cookie Parser Warning Storm ### Summary Reading multiple invalid cookies can lead to a logging storm. ### Impact If the ``cookies`` attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. ---- Patch: https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326 |
Affected by 10 other vulnerabilities. |
|
VCID-zrgm-47ph-x3g3
Aliases: CVE-2024-52304 GHSA-8495-4g3g-x7pr |
aiohttp allows request smuggling due to incorrect parsing of chunk extensions ### Summary The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ----- Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71 |
Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||