Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-peyu-fxyx-ayde
Vulnerability ID VCID-peyu-fxyx-ayde
Aliases CVE-2025-69229
GHSA-g84x-mcqj-x9qq
Summary AIOHTTP vulnerable to DoS through chunked messages ### Summary Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. ### Impact If an application makes use of the `request.read()` method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712 Patch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69229.json
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00067 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
epss 0.00067 https://api.first.org/data/v1/epss?cve=CVE-2025-69229
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-g84x-mcqj-x9qq
cvssv4 6.6 https://github.com/aio-libs/aiohttp
generic_textual MODERATE https://github.com/aio-libs/aiohttp
cvssv4 6.6 https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
generic_textual MODERATE https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
ssvc Track https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
cvssv4 6.6 https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
generic_textual MODERATE https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
ssvc Track https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
cvssv3.1_qr MODERATE https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
cvssv4 6.6 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
generic_textual MODERATE https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
ssvc Track https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
cvssv4 6.6 https://nvd.nist.gov/vuln/detail/CVE-2025-69229
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-69229
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69229.json
https://api.first.org/data/v1/epss?cve=CVE-2025-69229
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69229
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/aio-libs/aiohttp
https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
https://nvd.nist.gov/vuln/detail/CVE-2025-69229
2427257 https://bugzilla.redhat.com/show_bug.cgi?id=2427257
GHSA-g84x-mcqj-x9qq https://github.com/advisories/GHSA-g84x-mcqj-x9qq
USN-8032-1 https://usn.ubuntu.com/8032-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69229.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/aio-libs/aiohttp
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:24:45Z/ Found at https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:24:45Z/ Found at https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:24:45Z/ Found at https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://nvd.nist.gov/vuln/detail/CVE-2025-69229
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.16391
EPSS Score 0.00052
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:52:24.780247+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-g84x-mcqj-x9qq/GHSA-g84x-mcqj-x9qq.json 38.0.0